A security flaw in the massively popular SQLite database engine puts at risk of hacker attacks thousands of desktop and mobile applications. The issue was discovered by the Tencent Blade's cybersecurity experts and was dubbed Magellan.
The shocking vulnerability allows hackers to execute malicious code on the attacked computer as well as leak program memory or crash it.
The SQLite database is embedded in thousands of applications and therefore Magellan has a large volume of impact over the software. The newly discovered vulnerability puts at risk of hacker attacks IoT devices, applications for Android and iOS operating systems, desktop software and web browsers.
Among the major risks that Magellan brings is the fact that this vulnerability can be exploited remotely and even simply by accessing an ordinary web page if the underlying browser supports SQLite and the Web SQL API. That translates the exploit code into regular SQL syntax.
In fact, Firefox and Edge browsers do not support this API, but with Chromium-based browsers like Chrome, this API is available. In practice, this means that Chromium-based browsers, such as the widely used Google Chrome, Vivaldi, Opera, and Brave, are affected by the Magellan vulnerability.
Of course, web browsers are the broadest field for hacker attacks in this case, but in fact, the danger is not to be underestimated in the other kind of this vulnerability exploitation.
The Tencent Blade's team has announced that they have successfully exploited Google Home with the Magellan vulnerability.
They reported their discovery to the SQLite team in autumn, and a patch was shipped out on December 1, with the release of SQLite 3.26.0.The vulnerability has also been fixed in Chromium, as well as in Google Chrome 71.
Vivaldi and Brave are now running the latest version of Chromium, but the Opera browser still has an old version of Chromium so it's still affected by Magellan.
Firefox does not support Web SQL but is also affected by the new vulnerability, since it comes with a locally accessible SQLite database. In practice, this means that a local hacker can exploit the vulnerability to execute code or to cause other damage to the victim.
The biggest problem is that even if the SQLite team does or does not ship patches for the Magellan vulnerabilities, many applications will remain vulnerable for years to come. The reason for that to happen is because such an update of the underlying database engine to any desktop, mobile, or web app is a dangerous process during which data may be corrupted, and that is why most developers are avoiding this update as long as possible.
Additionally, application developers rarely update libraries and component parts of their applications, so the danger of this vulnerability being present for many years in the app ecosystem is extremely high.
These are the ethical considerations that Tencent Blade's cybersecurity experts will not yet publish any proof-of-concept. However, the team's ethical decision will not prevent other specialists from analyzing the SQLite patch to investigate what the Magellan vulnerability actually is like. So we can only hope that the exploit code will not leak online shortly before users have been able to update vulnerable browsers, desktop software, and mobile applications.
Vulnerability assessment lets organisations and software developers quickly identify critical software issues within their applications – web, mobile, and desktop. We are often talking about continuous vulnerability assessment services and their integration in the application development lifecycle. As new vulnerabilities are discovered and identified, this is the way in which organisations and developers can mitigate security risks and stay ahead of malicious intensions. Read more about vulnerability assessments and application security testing.