Researchers from Check Point Research (CPR) and Claroty Team82 have jointly uncovered multiple security vulnerabilities in the QuickBlox framework, a widely used chat and video service in smart IoT devices, finance, and telemedicine applications. The flaws in QuickBlox's architecture could potentially allow threat actors to gain unauthorized access to user databases, compromising millions of user records.
In their report, the researchers highlighted the exploitation of QuickBlox's smart intercom and telemedicine applications. Specifically, they found vulnerabilities in an intercom app developed by Israeli vendor Rozcom, which utilized the QuickBlox framework. These vulnerabilities enabled researchers to download user databases, take control of accounts and intercom devices, and access device cameras and microphones. The researchers further demonstrated how they could remotely open doors through intercom apps and leak patient data from a popular telemedicine platform integrated with QuickBlox.
The undisclosed telemedicine app, which provided chat and video services for doctor-patient communication, was found to have existing vulnerabilities. When combined with the QuickBlox flaws, it resulted in the exposure of the entire user database, including medical records and chat history. This allowed attackers to impersonate doctors, modify information, and interact with patients in real-time on behalf of legitimate physicians.
QuickBlox, which offers APIs for user management, authentication, and chat messaging, is known for its compliance with HIPAA and GDPR security standards. However, the flaw was traced back to the application session creation process, where users had access to sensitive information such as application ID, authorization key, authorization secret, and account key. Many users inserted these secrets directly into their applications, making them easily extractable by adversaries via reverse engineering or database leaks.
The research teams collaborated with QuickBlox to address the discovered flaws, leading to the development of a more secure architecture and API. QuickBlox is urging users to upgrade to the latest version of the framework to mitigate the identified vulnerabilities.