Google has reportedly patched a security weakness in its Chrome web browser for Android that could impact users’ privacy.
According to a report, the vulnerability exposes users’ device model and firmware version, which could enable hackers to pinpoint unpatched devices and try to break into them. The report noted that Yakov Shafranovich, a contributor at the Nightwatch Cybersecurity firm, spotted the vulnerability three years ago, but at the time Google said it wasn’t a bug and was working as intended.
“While Android does offer the ability to override these (via WebSettings.setUserAgent() in WebView), most applications choose not to do that to assure compatibility by relying on the default header,” Shafranovich said at the time, according to the report. “For many devices, this can be used to identify not only the device itself, but also the carrier on which it is running and from [which] country.” The report noted that hackers could also use it to determine the device’s patch level of security and what vulnerabilities the hacker could exploit on it.
While Google said it wasn’t a bug back then, the outlet noted that the tech giant addressed the issue somewhat in October of 2018 when it launched Chrome 70. In a recent blog post, Shafranovich said the Chrome 70 update only removed a portion, but that the vulnerability still exists. Shafranovich thinks users of all earlier versions of Chrome for Android are impacted by the security bug and should upgrade to Chrome version 70 or later.
The last thing Google needs is a privacy issue, given the increased scrutiny placed on tech companies in the wake of massive data breaches at Facebook. With Congress, consumer advocacy groups and regulators paying close attention to the actions of big technology companies, including Google, they are going to great lengths to avoid any whiff of scandal.