Google finally got around to patching a three-year-old vulnerability in its Chrome for Android browser, which reveals a phone model and build.
Nightwatch Cybersecurity bug bounty researchers identified the vulnerability back in May 2015, according to a Sept. 30, 2015 blog post ,but Google’s Security staff didn’t address the threat until they realized how big the issue was years later.
Google released a partial fix in October 2018 with the release of Chrome 70, but the browser still leak information about the device names and details of two Android components in the device.
The vulnerability is an issue because it allow potential threat actors to identify the device's security patch level providing insight into which attacks the device could be vulnerable to and leaked firmware details could provide more insight on how to exploit a device.
In addition to the model of the device, this information can also be used to identify a user’s carrier and from which country the device is from.
The vulnerability was further exacerbated by the fact that many applications on Android use Chrome WebView or Chrome Custom Tabs to render web content. Facebook’s built in browser still reportedly leaks firmware, according to Techradar.
