With the Internet being people’s primary gateway to today’s services, web browsers have often been the target of hackers and security researchers trying to discover potential vulnerabilities. One such vulnerability has been discovered by Tencent’s Blade security team and nicknamed “Magellan”. While it affects a large chunk of browsers that use the open source Chromium engine, including Google Chrome itself, this time it isn’t the web browser that’s at fault. Instead, it’s the SQLite database that’s used not just by Chromium but by hundreds if not thousands of apps as well.
SQL a type of relational database that is used in a large number of applications, from holding data served up in websites and blogs to the pieces of data stored by mobile apps on your smartphone. There are many implementations of SQL, including heavyweights like MySQL and PostgreSQL, but SQLite has been favored by many apps and developers precisely because it is lightweight, simple, and easy to use.
Unfortunately, that also means that an exploit like Magellan has far-reaching coverage as well. It’s precisely because of that consideration that Tencent hasn’t released much information to the public about it. In a nutshell, the bug would allow hackers with remote access to an SQLite database to execute potentially malicious code, even crashing the browser. It has already reported the vulnerability to SQLite and Google developers who have promptly patched code on their ends.
As the bug affects the base Chromium browser engine, it extends to any browser that uses it. The good news is that as of version 71.0.3578.80, Chromium is already safe. Google Chrome, Vivaldi, and Brave are reported to be using this latest version but not Opera. Safari isn’t affected at all but Firefox may be vulnerable if a hacker gains access to the local SQLite database it does use.
SQLite itself has been fixed as of version 3.26 but therein lies another problem. App developers and server administrators are usually wary of updating critical software like databases because of the risk of hosing data completely if something goes wrong. As of Android 8.1 Oreo, Android also uses an older 3.19 version of SQLite. Depending on the Magellan’s severity, however, they may have little choice on the matter. It might also be an opportunity for them to check that their backups are updated and are in good condition if they have one in the first place.