Google has quietly fixed a security flaw in Chrome for Android that was originally reported more than three years ago.
As reported by
ZDNet, the vulnerability was found by bug-hunters at Nightwatch Cybersecurity in May 2015, but wasn't addressed until Google's security staff realized that it was, in fact, a threat. The flaw means that the mobile browser leaks information about the device it's running on, including the hardware model and firmware version – and therefore its security patch level. Chrome for desktop doesn't suffer the same issue. Browsers send various pieces of information to web servers as part of their normal operation, including details of the browser itself, other apps currently running, and the operating system. Unfortunately, Chrome for Android also sent the device name (such as C6606) and firmware build. The device name might look random, but it correlates to a specific device model, and can be found easily online in readily available lists. For example, device name C6606 would be a Sony Xperia Z. That's a security issue in itself, but the accompanying leaked firmware details are the biggest problem.