Google patches Chrome for Android vulnerability, three years after it was reported

News by Robert Abel

Google finally got around to patching a three-year-old vulnerability in its Chrome for Android browser, which reveals a phone model and build.

Google finally got around to patching a three-year-old vulnerability in its Chrome for Android browser, which reveals a phone model and build.

Nightwatch Cybersecurity bug bounty researchers identified the vulnerability back in May 2015, according to a 30 September, 2015 blog post ,but Google’s Security staff didn’t address the threat until they realised how big the issue was years later.

Google released a partial fix in October 2018 with the release of Chrome 70, but the browser still leak information about the device names and details of two Android components in the device.

The vulnerability is an issue because it allow potential threat actors to identify the device’s security patch level providing insight into which attacks the device could be vulnerable to and leaked firmware details could provide more insight on how to exploit a device.

In addition to the model of the device, this information can also be used to identify a user’s carrier and from which country the device is from.

The vulnerability was further exacerbated by the fact that many applications on Android use Chrome WebView or Chrome Custom Tabs to render web content. Facebook’s built in browser still reportedly leaks firmware, according to Techradar

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike