More than three years after a weakness in Chrome for Android that allows an attacker to discover the patch level, firmware version, and hardware model of a device was reported to Google, the company has released a partial fix that hides the firmware level but still doesn’t take care of the entire problem.
The issue stems from the way that the Chrome browser for Android sends information about the device and the software on it to web sites. Chrome, which is the default browser on Android devices, sends a specific set of information in the browser headers to any site a user visits. That information includes the User Agent string, which in turn includes the Android version number and build tag identifier. This is similar to the way that desktop browsers behave, sending information to sites to help them identify what type of browser and OS the user is running. The difference is the build number that Chrome on Android includes.
“The fact that it identifies the operating system and its version is not unique. This follows generally what many other browsers have been doing on desktop and mobile. It is the build tag that is the problem. As described above, the build tag identifies both the device name and its firmware build,” Yakov Shafranovich of Nighwatch Cybersecurity said in an advisory on the issue, published Dec. 25.
“For many devices, this can be used to identify not only the device itself, but also the carrier on which it is running and from that the country. It can also be used to determine which security patch level is on the device and which vulnerabilities the device is vulnerable to.”
For attackers, the build information and other data about the device can be quite valuable. That information can tell an attacker exactly what device model and patch level the user has, which the attacker can then use to decide how to attack that specific device. Many older Android devices have unpatched vulnerabilities that an attacker could target with the right information at hand.
Researchers at Nightwatch discovered the weakness and first reported it to Google in 2015. However, Google engineers said the issue was not a vulnerability and that it wouldn’t be fixed.
“This is [working as intended]. For webview, the client can override,” a Chromium engineer wrote in a response at the time of the initial bug report.
Three years later, a new bug was filed with Google and the company released a partial fix for the issue in Chrome 70 for Android in October. The update, which also applies to Chrome on iOS and the desktop, removes the firmware build information from the Chrome header, but the device’s model number is still there.
“All prior versions are believed to be affected. Users are encouraged to upgrade to version 70 or later. Since this fix doesn’t apply to WebView usage, app developers should manually override the User Agent configuration in their apps,” Shafranovich said.
One workaround for the issue is to go into the Chrome settings on Android and use the Desktop Site option.