Iphone iMessege crash

Noticed a pretty major security bug in on the iOS 5 messaging system today.

As we know, iOS uses sqllite to store its messages, therefore i made a quick experiment to check if the iphone escapes the messages that it recieves and made an intresting discovery.

This is how you replicate the bug:
(Successfully replicated on Iphone iOS 5.1.1 and 5.1)

1.) Send  ' or \ to a contact with iMessage
2) tap EDIT at the top of the screen
3) check off the message you just sent
4) tap FORWARD at the bottom right of the screen
5) Type a number or contact that have iMessage, press send.
6) Crash!

My suspicion is that Iphones forwarding system does not escape its sql query correctly.

Short description about nonescaped SQL:

Lets say we have a database that holds the username and its role:
===================
= username | role =
===================
John       | admin
George     | user
===================

Then our imaginary user fills out a form on your website where he submits the name Billy.

A sloppy developer that directly inserts the users input into the database query gets this:

INSERT INTO users (username,role) VALUES('Billy','user');

But lets say that our imaginary user has malicius intent and types: Billy','admin'); --

Then the query will become:
INSERT INTO users (username,role) VALUES('Billy','admin'); -- ','user');

The SQL server interprets everything beyond the ”--” characters as a comment and therefore ignores it. Suddenly Billy the ordinary user has elevated himself to admin.