[ Jan 04, 2019 ]
Google has finally patched a privacy vulnerability in its Chrome web browser for Android that exposes users’ device model and firmware version, eventually enabling remote attackers to identify unpatched devices and exploit known vulnerabilities.
The vulnerability, which has not yet given any CVE number, is an information disclosure bug that resides in the way the Google Chrome for Android generates ‘User Agent’ string containing the Android version number and build tag information, which includes device name and its firmware build.
This information is also sent to applications using WebView and Chrome Tabs APIs, which can be used to track users and fingerprint devices on which they are running.
This privacy issue can also be used to determine the security patch level on the device and vulnerabilities the device is vulnerable to, which attackers can exploit in a targeted fashion.
Cyber Security Tip :
Users are highly recommended to upgrade to Chrome version 70 or later.