Recent reports from Team82 and Check Point Research (CPR) team state that there has been a major vulnerability in QuickBlox SDK (Software Development Kit) and API (Application Programming Interface) that is used for developing chat and video applications.
Researchers are able to take over multiple user accounts in dozens of applications that rely on the QuickBlox framework for developing their applications.
These vulnerabilities were reported to QuickBlox and fixed with the new security architecture.
QuickBlox Architecture
QuickBlox requires developers to create a new QuickBlox account which in turn creates a new application with the QuickBlox Dashboard along with specific credentials for the application, which includes an Application ID, Authorization Key, Authorization Secret, and Account Key.
These credentials are then used to request and retrieve the QB token for this application that is used for further API requests.
Once the QB token is received by the new application, it requires the user credentials and the application session to make the session more authorized and authenticated.
In addition to this, every user of the application requires the application session to log in to the application as per the QuickBlox documentation.
Most of the applications that use QuickBlox just inserted the application credentials into their applications, which is easy to extract by reverse engineering with tools like Frida.
QuickBlox Vulnerabilities
Once these application secret keys were extracted, it was possible for the research team to extract multiple information from endpoints, like the full list of users (/users.json), PII user information (/ID.json) which includes name, email, phone number, etc., and create new users (/users.json).
An attacker with static settings information is capable of taking over all of the user accounts and creating multiple attacker-controlled accounts.
Furthermore, there were several applications that did not implement appropriate security measures in their applications.
The most critical ones were from the Telemedicine and Intercom / Communication industries.
Case Studies and Impact
Two case studies were conducted on a Telemedicine android application and an Israeli-based Intercom application that uses QuickBlox in their applications.
In the case of the Intercom, the researchers were able to extract information and conduct activities like Wiretapping, opening the doors, controlling microphones, and much more.
In Telemedicine’s case, the researchers could extract critical and sensitive information like patients’ medical records, chat histories, medical history, doctors’ records, etc.
In worst cases, threat actors exploiting this vulnerability can also impersonate an actual physician.
A complete report was released by team82, which contains detailed information on the exploitation and the methods used for exploitation.