Discovered by Tencent’s Blade security team, the vulnerability allows an attacker to run malicious code on the victim’s computer, and in less dangerous situations, leak program memory or cause program crashes.
The bad news, according to Tencent Blade researchers, is that this vulnerability can also be exploited remotely by accessing something as simple as a web page, if the underlying browser support SQLite and the Web SQL API that translates the exploit code into regular SQL syntax.
But while web browsers pose the biggest attack surface, other apps are also affected. For example, Google Home is also vulnerable.
“We successfully exploited Google Home with this vulnerability,” the Tencent Blade team said in a security advisory this week.
Tencent Blade researchers said they reported this issue to the SQLite team earlier this fall. A fix was shipped out on December 1, with the release of SQLite 3.26.0. The fix was also ported inside Chromium, and later in Google Chrome 71, released last week.
Chromium-based browsers like Vivaldi, Opera, and Brave are still one Chromium release behind, meaning they’re most likely still affected.
While it does not support Web SQL, Firefox, too, is affected, since it comes with a locally accessible SQLite database, meaning a local attacker could abuse this vulnerability to execute code and more.
But even if the SQLite team shipped a fix, many apps are likely to remain vulnerable for years to come. Updating the underlying database engine to any desktop, mobile, or web app is a dangerous process, which sometimes can result in data corruption, and most programmers avoid it as long as possible.
App developers rarely update libraries and the component parts of their apps as it is, so the chances that this vulnerability will haunt the app ecosystem for years is pretty high.
Because of this reason, the Tencent Blade team said it would refrain for the time being from releasing any proof-of-concept exploit code. Nonetheless, other security researchers have already started combing the SQLite patch to reverse engineer it and see how the vulnerability works under the hood.
This SQLite vulnerability has not yet received a CVE identification number and Tencent researchers are using the “Magellan” codename to refer to it for now.