Skip to content

Security flaws in QuickBlox expose millions of user records

  • by
  • 4 min read

Several critical security vulnerabilities were discovered in the popular QuickBlox framework, which powers real-time chat and video services in telemedicine, finance, and smart IoT device applications, putting millions of people’s data at risk.

The vulnerabilities, found by Claroty Team82 and Check Point Research, could potentially grant threat actors access to user databases of tens of thousands of applications, putting millions of user records at risk. The researchers were able to exploit Rozcom, an IoT platform, and an unnamed telemedicine application.

The joint research focused on the QuickBlox software development kit (SDK) security. By chaining the identified vulnerabilities with flaws in targeted applications, the researchers could carry out attacks that allowed remote access to intercom applications and leakage of patient information from a major telemedicine platform.

The vulnerabilities discovered in the QuickBlox API allowed anyone with an application-level session to retrieve sensitive information such as a full list of users, personally identifiable information (PII) of individual users, and the availability to create attacker-controlled accounts. Although privacy settings are available to limit API access, the researchers found that only a few applications had disabled this option, leaving most user data vulnerable.


Rozcom vulnerability explained

The research team discovered vulnerabilities in a cloud-based IoT platform for managing smart intercoms sold by an Israeli vendor called Rozcom.

Rozcom architecture explained. | Source: Check Point Research

Exploiting these vulnerabilities allowed the researchers to take control of all Rozcom intercom devices, including accessing cameras and microphones, wiretapping into feeds, and remotely opening doors managed by the devices.

Despite attempts to privately disclose the findings for a year and a half, Rozcom did not address the vulnerabilities. However, the Israeli Cyber Emergency Response Team (IL-CERT) allocated and published CVE-2023-31184 and CVE-2023-31185 on May 4, identifying the two vulnerabilities.

QuickBlox is employed by Rozcom behind the scenes to handle multimedia sessions, facilitating video and audio transfer between the mobile app and the intercom devices. Unfortunately, Rozcom chose to use the user ID, constructed from the building ID and phone number, as the user identifier in QuickBlox. Therefore, by leaking the QuickBlox user database, the researchers gained access to all Rozcom users’ information, including building IDs and users’ phone numbers.


Unnamed telemedicine platform vulnerability explained

By exploiting the vulnerabilities, the hacker can read intimate patient records. | Source: Check Point Research

By exploiting vulnerabilities in both QuickBlox and the telemedicine app, the researchers could leak the entire user database, including sensitive medical records and history stored within the application.

The researchers successfully extracted the embedded QuickBlox application keys, which allowed them to authenticate themselves to the QuickBlox API server, obtain an authentication token, and access the user database of the telemedicine app.

The user base of the unnamed telemedicine application. | Source: Check Point Research

This telemedicine app lets users select their own UserID and Password credentials for authentication. However, through reverse engineering, the researchers discovered that the app creates a new QuickBlox user account for each user. Shockingly, the UserID is used as a login, and a hardcoded static password is assigned to patients and doctors.

This security flaw allowed individuals to log in to QuickBlox on behalf of any user, be it a doctor or a patient, and gain access to their personal information. The exposed data includes personal details, medical history, chat history, and medical record files.

Users are recommended to update the QuickBlox platform to its most up-to-date version.

In the News: Meta and Google illegally share millions of US citizens tax data

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>