The issues enabled researchers to download all user databases, take over accounts and all Rozcom intercom devices, and gain full access to device cameras and microphones.
In a joint research effort, Check Point Research (CPR) and Claroty Team82 found multiple security flaws in the QuickBlox framework. QuickBlox is a popular chat and video service widely used in the development of smart IoT devices, finance, and telemedicine web and iOS and Android mobile applications. While conducting their research, Claroty Team82 and CPR researchers discovered several major security flaws in the framework’s architecture.
According to the researchers, if these flaws are exploited, threat actors can easily access user databases of countless applications, putting millions of user records at risk of exposure and exploitation.
In their report published on July 12, 2023, the researchers explained that it was possible to exploit QuickBlox’s smart intercom and telemedicine applications, allowing them to remotely open doors through intercom applications and leak patient data from a mainstream telemedicine platform.
The flaws were discovered while examining an intercom mobile application from Israeli vendor Rozcom, which is based on the QuickBlox framework. The issues enabled researchers to download all user databases, take over accounts and all Rozcom intercom devices, and gain full access to device cameras and microphones. They also gained the capability of wiretapping into its feed, opening doors that the devices were managing, and more.
Then, researchers assessed a popular telemedicine application created by integrating the QuickBlox SDK. They didn’t disclose the app’s name but did note that it provided chat and video services for patients so they could communicate with doctors.
According to CPR’s technical research, this particular app already contained vulnerabilities, and when combined with QuickBlox flaws, the app leaked the entire user database, including medical records and medical and chat history that the application stored. Moreover, anyone could impersonate a doctor, modify information, or communicate with patients in real-time on behalf of their physician.
For your information, applications created using QuickBlox come with APIs for user management, authentication, and real-time private and public chat messaging features. It also delivers HIPAA and GDPR-compliant security features and an SDK that enables video and voice features. Developers integrate QuickBlox by creating an account at (admin.quickblox.com/signup) and creating the application.
Afterwards, they receive the application ID, authorization key, authorization secret, and account key. Afterwards, the application requests a QB-Token to make new API requests and log in to the authenticated session with user permissions.
This is where the flaw was identified. The application session is necessary for creating a user session, which means every user has to obtain the session first. This is possible if the user knows the application’s ID, authorization key, authorization secret, and account key. These keys must be accessible by all users, and researchers noted that most users simply inserted application secrets into the application, thus making them public information.
The secrets can be extracted via reverse engineering by adversaries or leaked from the database for popular applications with just application-level session information. Attackers can obtain sensitive data such as a list of users, PII user data such as name, email address, and phone number, and create new users, etc.
Anyone who can extract the static QuickBlox settings from the application can retrieve the personal user information of all application users or create multiple attacker-controlled accounts. Moreover, attackers can create a rogue user account to leak specific user details by brute-forcing a limited range because QuickBlox uses sequential IDs.
The teams collaborated with the company to address the discovered flaws. Reportedly, QuickBlox has designed a more secure architecture and API to resolve the issue and is urging users to switch to the latest framework version.