Googleโs Chrome is a popular browser out there. While itโs being used by billions daily, one of the browserโs components was supposedly vulnerable to let attackers exploit the user data by executing malicious code remotely. The vulnerability was discovered recently and has been addressed.
The Magellan 2.0 Vulnerability
Termed as Magellan 2.0, this vulnerability, if exploited, can let an attacker execute malicious code remotely and can cause leaking program memory or program crashes. This check is surfaced by Tencent Blade Team from China, which was the same group that discovered its predecessor, Magellan 1.0.
The team says the browsers based on chromium and services using SQLite databases can be attacked. SQLite stores various browser settings and user data within. Any user visiting malicious sites that feed the SQLiteโs database with improper inputs/commands can be hacked. If done successfully, a hacker can operate it remotely.
The study from Blade Team resulted in all the apps using the SQLite database are vulnerable to this attack. But, not much prone as Chrome browser as Googleโs service uses WebSQL API which translates the JavaScript into SQL commands and fed into SQLiteโs database, which eventually exposes the user to attack.
The new vulnerabilities are identified as
CVE-2019-13734/13750/13751/13752/13753.
Itโs okay if your device isnโt accepting external SQL queries, but having browsers with WebSQL or older SQLite functions can be exploited. Below are a few services that can be attacked:
- Chrome/Chromium prior to version 79.0.3945.79 (Here in after referred to as โold versionโ).
- Smart devices using an old version of Chrome/Chromium.
- Browsers built with the old version of Chromium/Webview.
- Android Apps that uses an old version of Webview and can access any web page.
- Software that uses the old version of Chromium and can access any web page.
Following the vulnerability disclosure process, Tencent Blade Team decided not to disclose further details of this glitch yet. Theyโd be doing this after 90days as specified.
Things To Do
Updating as usual. As Tencent has already informed Google and SQLite teams, theyโve released security patches in their latest updates. For Chrome, latest patch as version 79.0.3945.79 or (79.0.3945.73 in Android) has been released on December 13th which can be downloaded from Playstore, Appstore and respective browser stores for web versions.
Source: Tencent Blade Team