Status Update
No update yet.
Comments
ne...@gmail.com
Furthermore, this is a violation of RFC 7231, section 5.3.3:
https://tools.ietf.org/html/rfc7231#section-5.5.3
" A user agent SHOULD NOT generate a User-Agent field containing
needlessly fine-grained detail and SHOULD limit the addition of
subproducts by third parties. Overly long and detailed User-Agent
field values increase request latency and the risk of a user being
identified against their wishes ("fingerprinting").
"
" A user agent SHOULD NOT generate a User-Agent field containing
needlessly fine-grained detail and SHOULD limit the addition of
subproducts by third parties. Overly long and detailed User-Agent
field values increase request latency and the risk of a user being
identified against their wishes ("fingerprinting").
"
va...@chromium.org
[Empty comment from Monorail migration]
[Deleted User] <[Deleted User]>
[Empty comment from Monorail migration]
kl...@chromium.org
this is wai.
for webview, the client can override.
for webview, the client can override.
13...@gmail.com
Why is this intended?
What use case or additional benefit is provided by revealing the client device model and OS build number in the default UA string?
I can't think of any use case other than identifying screen and graphics properties, which can already be retrieved separately without requiring knowledge of the specific client device model.
Revealing this information makes it easier for sites to fingerprint users, exposing carrier info and security patch levels.
What use case or additional benefit is provided by revealing the client device model and OS build number in the default UA string?
I can't think of any use case other than identifying screen and graphics properties, which can already be retrieved separately without requiring knowledge of the specific client device model.
Revealing this information makes it easier for sites to fingerprint users, exposing carrier info and security patch levels.
ms...@chromium.org
I agree that there is no need to reveal more in the user agent string than is necessary for the website to accommodate different environments.
klobag@, do you know about any usecases for the granularity? If not, I would reopen this.
klobag@, do you know about any usecases for the granularity? If not, I would reopen this.
ya...@nightwatchcybersecurity.com
[Comment Deleted]
ya...@nightwatchcybersecurity.com
We published and presented on how this issue can be used to exploit Android phone remotely:
https://wwws.nightwatchcybersecurity.com/2015/09/30/research-chrome-for-android-reveals-phone-model-and-build/
https://wwws.nightwatchcybersecurity.com/2016/11/30/speaking-at-bsidesphilly-this-friday/
https://wwwsnightwatchcybersecuritycom.files.wordpress.com/2016/11/bsides_philly_2016.pdf
kl...@chromium.org
tn...@chromium.org
klobag, I can't access https://crbug.com/chromium/527925 . Could you please cc me or lift restrictions?
13...@gmail.com
This is what happens on scam pages when you reveal the device model in the UA.
13...@gmail.com
More of this nonsense - the user agent shouldn't be giving them this phone information.
mi...@gmail.com
Sending my build number is disgusting and has no reason!
ya...@nightwatchcybersecurity.com
@tnagel@chromium.org - this appears to be fixed in bug # 860229 even though it was originally reported here?
tn...@chromium.org
Unfortunately it's only been partly fixed so far (dropping the build number on Android). Removing model/make is harder because websites depend on it to work around device-specific bugs and limitations. We have an idea, though:
https://github.com/mikewest/ua-client-hints
https://github.com/mikewest/lang-client-hint
[Monorail components: -Privacy Privacy>Fingerprinting]
[Monorail components: -Privacy Privacy>Fingerprinting]
tn...@chromium.org
Assigning to myself. It'll be a long road, but I'm hopeful that we can fix this eventually.
tn...@chromium.org
[Empty comment from Monorail migration]
ya...@nightwatchcybersecurity.com
Thank you for looking into this. The build # is the most dangerous part of this, since it can be used to figure out what security vulnerabilities a particular device has. The model is less dangerous.
nt...@chromium.org
no-type -> type=Bug (bulk edit). Please adjust as appropriate.
to...@chromium.org
What to do about the model is still undecided - the introduction of UA-CH and the proposed freezing of useragent may resolve this. Recategorising this as a feature request given that the OS version is the part that is security-relevant, and the model by itself is less of a risk.
aa...@chromium.org
I seem to recall that some carrier agreements have some very specific requirements about build numbers, model information, and user agent strings in general. I'll dig through some email and see if I can find who to CC. torne@, do you have any experience with that sort of thing?
After looking around, there seems to be at least one carrier that requires an exact make and model number. Silly, but true.
After looking around, there seems to be at least one carrier that requires an exact make and model number. Silly, but true.
to...@chromium.org
We already removed the build number some time ago and have not had any contacts about it.
Android CTS/CDD has specific requirements about the useragent, but I've already amended it for more recent OS versions to allow these strings to be optional. I would not be surprised if carriers had requirements here too but don't have a contact to talk to on that front. I suspect we could justify, at minimum, moving the model to a client hint so that it's not sent in the UA by default.
Android CTS/CDD has specific requirements about the useragent, but I've already amended it for more recent OS versions to allow these strings to be optional. I would not be surprised if carriers had requirements here too but don't have a contact to talk to on that front. I suspect we could justify, at minimum, moving the model to a client hint so that it's not sent in the UA by default.
[Deleted User] <[Deleted User]>
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.
Sorry for the inconvenience if the bug really should have been left as Available.
For more details visithttps://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sorry for the inconvenience if the bug really should have been left as Available.
For more details visit
vi...@gmail.com
[Comment Deleted]
is...@google.com
This issue was migrated from crbug.com/chromium/494452?no_tracker_redirect=1
[Multiple monorail components: Internals, Mobile>WebView, Privacy>Fingerprinting]
[Monorail blocked-on:crbug.com/chromium/860229 ]
[Monorail mergedinto:crbug.com/chromium/955620 ]
[Monorail components added to Component Tags custom field.]
[Multiple monorail components: Internals, Mobile>WebView, Privacy>Fingerprinting]
[Monorail blocked-on:
[Monorail mergedinto:
[Monorail components added to Component Tags custom field.]
Description
This template is ONLY for reporting privacy issues. Please use a different
template for other types of bug reports.
Please seehttp://www.chromium.org/Home/chromium-privacy for further
information.
PRIVACY ISSUE
Chrome on Android reveals the exact model and OS of the device used via user agent
VERSION:
Chrome version 43.0.235778
Operating System: Android 5.1
REPRODUCTION STEPS
The user-agent string on Android reveals both the device and the exact version of Android installed, even in incognito mode. While on the Desktop it is possible to use an extension, that is not possible on the phone.
By comparison, using the "Request Desktop Version" sends a more generic header without a build number and OS version, and just says "X11, Linux". Same happens on the desktop Linux, it also says the exact flavor of Linux like Ubuntu but without the version. IT SHOULD just say "Linux".
By comparison also, FireFox on Android only says "Android", and does not reveal the specific model.