Google has amped up its efforts across all of 2018 to increase security in Chrome, but a three-year-old bug on the Android version of the app that leaked private device data was left unchecked for over three years. According to security researchers at Nightwatch the bug allowed cybercriminals to not only identify devices that were running Chrome for Android but also carrier data, firmware version, and security patch information.
The obtainable information was highly sensitive as it could potentially enable cybercriminals to use exploit kits and target devices. Google initially dismissed security concerns surrounding the Chrome app but realized how dangerous the bug could be and finally fixed the issue. The update was released in October 2018.
Despite the update to Chrome, the bug has not been patched out completely. Attackers can still access device name strings and device name and build data can be obtained as well via WebView and Custom Tabs. Custom Tabs are seldom used at the moment, but WebView is popular across a number of apps including popular social media apps that take advantage of it for logins and connecting different social accounts.
Users who are concerned about their privacy should stop using WebView and can choose to use an alternative web browser until the issue is resolved. Google has already been notified about the Chrome bug, and we hope to see a fix soon. Temporary solutions have been suggested by Nightwatch that include enabling the “Request Desktop Site” feature or web developers can work around the bug by using custom strings that overwrite device data instead of User Agent ones.
What do you think about the Chrome bug being left unchecked for so long? Let us know in the comments below. Feel free to share your thoughts on our socials as well, on Facebook and Twitter.