New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 494452 link

Starred by 6 users

Issue metadata

Status: Started
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: ----

Blocked on:
issue 860229



Sign in to add a comment

Chrome on Android reveals the exact model and OS version of the device used via user agent

Reported by netwizar...@gmail.com, May 31 2015

Issue description

This template is ONLY for reporting privacy issues. Please use a different
template for other types of bug reports.

Please see http://www.chromium.org/Home/chromium-privacy for further
information.


PRIVACY ISSUE
Chrome on Android reveals the exact model and OS of the device used via user agent

VERSION:
Chrome version 43.0.235778
Operating System: Android 5.1

REPRODUCTION STEPS
The user-agent string on Android reveals both the device and the exact version of Android installed, even in incognito mode. While on the Desktop it is possible to use an extension, that is not possible on the phone.

By comparison, using the "Request Desktop Version" sends a more generic header without a build number and OS version, and just says "X11, Linux". Same happens on the desktop Linux, it also says the exact flavor of Linux like Ubuntu but without the version. IT SHOULD just say "Linux".

By comparison also, FireFox on Android only says "Android", and does not reveal the specific model.
 
Furthermore, this is a violation of RFC 7231, section 5.3.3:

https://tools.ietf.org/html/rfc7231#section-5.5.3

" A user agent SHOULD NOT generate a User-Agent field containing
   needlessly fine-grained detail and SHOULD limit the addition of
   subproducts by third parties.  Overly long and detailed User-Agent
   field values increase request latency and the risk of a user being
   identified against their wishes ("fingerprinting").
"

Comment 2 by vabr@chromium.org, Jun 2 2015

Labels: -Privacy -Pri-2 Cr-Privacy Pri-1 OS-Android Cr-Internals Cr-Mobile-WebView
Cc: aelias@chromium.org klo...@chromium.org
Owner: aruslan@chromium.org
Status: Assigned
Status: WontFix
this is wai.

for webview, the client can override.

Comment 5 by 13hu...@gmail.com, Aug 2 2017

Why is this intended?
What use case or additional benefit is provided by revealing the client device model and OS build number in the default UA string?

I can't think of any use case other than identifying screen and graphics properties, which can already be retrieved separately without requiring knowledge of the specific client device model.

Revealing this information makes it easier for sites to fingerprint users, exposing carrier info and security patch levels.
Cc: tnagel@chromium.org
I agree that there is no need to reveal more in the user agent string than is necessary for the website to accommodate different environments.

klobag@, do you know about any usecases for the granularity? If not, I would reopen this.

Comment 7 Deleted

See crbug/527925.
klobag, I can't access issue 527925. Could you please cc me or lift restrictions?

Comment 11 by 13hu...@gmail.com, Nov 14 2017

This is what happens on scam pages when you reveal the device model in the UA.
Screenshot_20171113-212040.png
75.5 KB View Download

Comment 12 by 13hu...@gmail.com, Dec 20 2017

More of this nonsense - the user agent shouldn't be giving them this phone information.
Screenshot_20171220-094828.png
149 KB View Download
Screenshot_20171220-095346.png
59.9 KB View Download
Screenshot_20171220-095505.png
163 KB View Download
Screenshot_20171220-095536.png
121 KB View Download
Sending my build number is disgusting and has no reason! 
@tnagel@chromium.org - this appears to be fixed in bug # 860229 even though it was originally reported here?
Components: -Privacy Privacy>Fingerprinting
Unfortunately it's only been partly fixed so far (dropping the build number on Android). Removing model/make is harder because websites depend on it to work around device-specific bugs and limitations. We have an idea, though:

https://github.com/mikewest/ua-client-hints
https://github.com/mikewest/lang-client-hint
Cc: -tnagel@chromium.org torne@chromium.org
Labels: -Pri-1 Pri-2
Owner: tnagel@chromium.org
Status: Started (was: WontFix)
Assigning to myself. It'll be a long road, but I'm hopeful that we can fix this eventually.
Blockedon: 860229
Thank you for looking into this. The build # is the most dangerous part of this, since it can be used to figure out what security vulnerabilities a particular device has. The model is less dangerous.

Sign in to add a comment