Google fixes vulnerability in Chrome for Android – over three years after it was reported

Icons on Android phone

Google has quietly fixed a security flaw in Chrome for Android that was originally reported more than three years ago.

As reported by ZDNet, the vulnerability was found by bug-hunters at Nightwatch Cybersecurity in May 2015, but wasn't addressed until Google's security staff realized that it was, in fact, a threat.

The flaw means that the mobile browser leaks information about the device it's running on, including the hardware model and firmware version – and therefore its security patch level. Chrome for desktop doesn't suffer the same issue.

Too much information

Browsers send various pieces of information to web servers as part of their normal operation, including details of the browser itself, other apps currently running, and the operating system. Unfortunately, Chrome for Android also sent the device name (such as C6606) and firmware build.

The device name might look random, but it correlates to a specific device model, and can be found easily online in readily available lists. For example, device name C6606 would be a Sony Xperia Z.

That's a security issue in itself, but the accompanying leaked firmware details are the biggest problem. 

"For many devices, this can be used to identify not only the device, but also the carrier on which it is running and from that the country," said Nightwatch Cybersecurity. "Build numbers are easily obtainable from manufacturer and phone carrier websites such as this one."

The build number can also tell attackers the device's security patch level, thereby letting them know which attacks it could be vulnerable to.

Google released a partial fix with Chrome 70 in October 2018, but the browser still releases device names and two Android components (including WebView, which is the built-in browser used by apps like Facebook) still leak the firmware build number.