Security firm Check Point has disclosed a major vulnerability in SQLite databases that allow hackers to inject malicious code into devices and then carry out whatever actions on the device they want, reports AppleInsider.
SQLite databases are an industry-standard format that is used by virtually every operating system and browser in the world, including Windows 10, macOS, iOS, Chrome, Safari, Firefox, and Android. On the iPhone, the SQLite database vulnerability can be accessed thanks to a known bug in iOS’s Contacts app that has existed for four years now without a fix. As the researchers note in their white paper:
Wait, what? How come a four-year-old bug has never been fixed? This feature was only ever considered vulnerable in the context of a program that allows arbitrary SQL from an untrusted source and so it was mitigated accordingly. However, SQLite usage is so versatile that we can actually still trigger it in many scenarios.
Since the Contacts app is a “trusted source” on iOS, once the researchers replaced a specific component of the Contacts app, the malicious code could be activated and carry out the hacker’s commands with iOS being none the wiser. For the purpose of the demonstration, Check Point only made the app crash on command. However, the security firm notes they could have just as easily used the exploit to insert code that would steal all of an iPhone user’s passwords.
If there’s any silver lining to this vulnerability, it’s that, for now, hackers would need direct access to an unlocked iPhone to replace the component of the Contacts app needed to take advantage of the SQLite vulnerability. Check Point says they have made Apple aware of the exploit, which one hopes the iPhone-maker will fix soon.