SQLite Vulnerability Could Expose Sensitive Data from Chrome, Firefox, More

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
SQLite 3.13.0, released at the end of May, contained a fix for a potentially dangerous vulnerability that could be used to leak sensitive data from SQLite temporary files.

While SQLite is not the first name that comes to mind when you say "database," this is one of those crucial projects that are used all over the place in various desktop or Web-based products from companies like Adobe, Google, Microsoft, Mozilla, but also many others.

According to security researchers from KoreLogic, all SQLite versions prior to 3.13.0 contained an information disclosure issue that originated in the way the database selected the directory where to store temporary files, used to save data that's in transit through the database.

Failing SQLite checks may change temp file location
Researchers say that SQLite would carry out a series of checks on the app's desired location to store temporary files. If these checks failed, SQLite would store temporary files in the "." path, which was the app's current folder.

"[T]his [vulnerability] could lead to insecure behavior by some application using SQLite under these conditions," KoreLogic explains.

Researchers explain that SQLite-based applications could write temporary files on NFS or SMB network shares, making data capture possible, or on removable drives, which can be taken out of the user's physical control.

Updating all vulnerable SQLite-based applications will take a while
These temporary files can, in theory, contain sensitive data not meant to be shared outside the original application's scope. For example, Web traffic for browsers or details about downloaded files for a BitTorrent client.

Updating all apps using older SQLite databases should take a while. In the meantime, developers should review their code based on KoreLogic's findings.

Just like the latest wget, Libarchive, 7-ZIP, and Graphite vulnerabilities, this shows once again how difficult it is to properly secure software that's based on multiple open-source packages.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top