Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Probably they found the vulnerability through Chromium, then extended that to "everything that uses SQLite". Hard to tell anything without more details though.

But if that is the case this is huge. SQLite is used in many places nowadays: Websites, browsers (Chromium and Firefox, I know of), various software including some Android apps. That also probably means the attack vector is some procedure where input is sanitized (assuming SQLite provides that, I never programmed against the C API).



WebKit; worse off, WebKit and Chromium expose SQLite almost directly through WebSQL! Drive-by malware!


If I understand correctly, it requires JS to be enabled (which it is usually).

(Edit: wrong term, it's not "HTML5 Local Storage", it's "HTML5 Database" thanks):

Chromium (EDIT: idk yet)

Webkit2: https://webkitgtk.org/reference/webkit2gtk/stable/WebKitSett...


Drive-by malware used to require Flash or Java... which used to always be enabled.

Edit: don't disable local storage! you'll break lots of things that way, and I don't think that includes WebSQL.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: