Google Partially Patches Flaw in Chrome for Android 3 Years After Disclosure

[ Jan 04, 2019 ]

Google has finally patched a privacy vulnerability in its Chrome web browser for Android that exposes users’ device model and firmware version, eventually enabling remote attackers to identify unpatched devices and exploit known vulnerabilities.

The vulnerability, which has not yet given any CVE number, is an information disclosure bug that resides in the way the Google Chrome for Android generates ‘User Agent’ string containing the Android version number and build tag information, which includes device name and its firmware build.

This information is also sent to applications using WebView and Chrome Tabs APIs, which can be used to track users and fingerprint devices on which they are running.

This privacy issue can also be used to determine the security patch level on the device and vulnerabilities the device is vulnerable to, which attackers can exploit in a targeted fashion.

Cyber Security Tip :

Users are highly recommended to upgrade to Chrome version 70 or later.


 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: