Researchers have discovered a critical vulnerability in Google’s Chromium browser that could be used to steal personal data. Positive Technologies researcher Sergey Toshin uncovered the bug last December and disclosed it to Google in January, which patched the bug a few weeks later. There’s no sign that it was actively exploited, but given the broad reach of the vulnerability, it’s difficult to be sure.

The bug was briefly disclosed in Google’s patch notes from January, described only as a high-severity vulnerability with “insufficient policy enforcement.” After a new report from Positive Technologies, we now know that the bug affected Android’s WebView component, which is commonly used to display pages inside Android apps. More broadly, the vulnerability existed inside Google’s Chromium engine, and it was present in all versions of Android 4.4 and up.

“Malicious payload”

Hackers could have exploited the vulnerability by linking users to a malicious instant app, which would run a small file that has access to a phone’s hardware. From there, attackers could intercept user data. “After an update containing a malicious payload, such applications could read information from WebView. This enables access to browser history, authentication tokens commonly used for login in mobile apps, and other important data,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies.

Any users running Android 7.0 and up should have updated their Google Chrome browser back in January, while users running earlier versions of Android had to update WebView through Google Play. Android users who don’t have Google Play will have to wait for an update from a device manufacturer.