Chrome in Android Leaks Device Fingerprinting Info

[silversurfer]

Attackers could craft a campaign that makes use of the device profile in order to exploit any vulnerabilities in a targeted fashion.

Google has issued a partial fix for an Android issue dating back to 2015 – after originally rejecting the bug report on the grounds of the mobile OS “working as intended.”

The issue – which still doesn’t have a CVE designation despite being partially addressed as a problem – has to do with how Android uses Google’s Chrome browser. Chrome is the default browser for Android devices, and it also enables the WebView and Custom Tabs APIs, which let applications render web content within the apps themselves without opening a separate browser window. According to Nightwatch Cybersecurity, Chrome and applications that use the associated APIs leak information about the hardware model, firmware version and security patch level of the device on which they are running.

“This information can be used for track users and fingerprint devices,” said Nightwatch researcher Yakov Shafranovich, in a post last week. “It can also be used to determine which vulnerabilities a particular device is vulnerable to in order to target exploits.”

Source: https://threatpost.com/chrome-in-android...fo/140480/