Select Page

Google has finally patched a privacy vulnerability in its Chrome web browser for Android that exposes users’ device model and firmware version, eventually enabling remote attackers to identify unpatched devices and exploit known vulnerabilities.

The vulnerability, which has not yet given any CVE number, is an information disclosure bug that resides in the way the Google Chrome for Android generates ‘User Agent’ string containing the Android version number and build tag information, which includes device name and its firmware build.

This information is also sent to applications using WebView and Chrome Tabs APIs, which can be used to track users and fingerprint devices on which they are running.

images from Hacker News