A vulnerability in the popular SQLite database engine puts thousands of desktop and mobile apps at risk. The error, discovered by Tencent’s Blade security team, allows an attacker to run rogue code on a victim’s computer. That’s what ZDNet reports.

It is also possible to leak program memory with the vulnerability or cause the program to crash. SQLite is contained in thousands of apps, which means that the vulnerability has an impact on many different types of software. These include software for computers and IoT devices. Even web browsers and Android and iOS apps can be at risk.

According to the researchers, the vulnerability can also be abused remotely by simply gaining access to a web page. This is possible if the underlying browser supports SQLite and uses the Web SQL API, which translates the exploit code into normal SQL syntax. Firefox and Edge do not support the API, but the open source browser engine Chromium does. This means that Google Chrome, Vivaldi, Opera and Brave, among others, are in danger.

Apps are also at risk, including Google Home. “We have successfully exploited Google Home with this vulnerability,” says the Tencent Blade team.

Solution

The researchers claim to have reported the problem to the SQLite team earlier in the autumn. On 1 December, a solution was shipped with the launch of SQLite 3.26.0. The solution was also placed in Chromium, and later in Google Chrome 71. Opera runs on the previous version of Chromium, so this browser is still vulnerable.

In all likelihood, however, many apps will remain vulnerable in the coming years. Updating the underlying database engine for a desktop, mobile or web app is a dangerous process, which sometimes results in data corruption. Most programmers avoid this as long as possible.

For this reason, the Tencent Blade team has said not to publish any proof-of-concept exploit code for the time being. Other security researchers have already started searching the SQLite patch to find out exactly how the vulnerability works.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.