Security researchers from Check Point software have found a major flaw in SQLite which puts every service and device that relies on it at risk. This means that apart from popular services like Dropbox, Firefox, etc., al 1.4 billion iOS devices out there are also at risk.
The vulnerability was revealed by Check Point security researchers at Def Con 2019. They demoed how using the vulnerability in SQLite, they can run malicious code in the Contacts app of iOS.
“SQLite is the most wides-spread database engine in the world,” said the company in a statement. “It is available in every operating system, desktop and mobile phone. Windows 10, macOS, iOS, Chrome, Safari, Firefox and Android are popular users of SQLite.”
As detailed to AppleInsider, the vulnerability also relies on a bug in the Contacts app of iOS that’s over 4 years old.
“Wait, what? How come a four-year-old bug has never been fixed?” write the researchers in their document. “This feature was only ever considered vulnerable in the context of a program that allows arbitrary SQL from an untrusted source and so it was mitigated accordingly. However, SQLite usage is so versatile that we can actually still trigger it in many scenarios.”
For their demo, the researchers only crashed the Contacts app. However, if they wish to, they could have used the SQLite vulnerability to steal passwords as well since the iOS password manager uses an SQLite database. Thankfully, Check Point security researchers believe that the exploit has not been used out in the public yet.
Check Point has already informed about the exploit and its research methodologies to Apple.