Research into the widely used QuickBlox SDK and API led to the discovery of critical vulnerabilities built into chat and video applications used by industries including telemedicine, smart IoT, and finance.
The researchers from Claroty Team82 and Check Point Research (CPR) developed PoC exploits demonstrating that these vulnerabilities threatened the personal information of millions of users. They found they could access smart intercoms and remotely open doors, or leak patient data from telemedicine applications.
Developers using the QuickBlox framework must first create a QuickBlox account. This provides the credentials that will be used for the application, and a QB-Token that is used in further API requests.
When the application retrieves the QB-Token, users log in with both the application session and user credentials. However, the process requires the user to know the application credentials — which are usually simply inserted into the application and easily extracted by attackers.
Turning to the API, “We discovered a few critical vulnerabilities in the QuickBlox API that could allow attackers to leak the user database from many popular applications,” report the researchers. They found that anyone with an application-level session could obtain a list of users, retrieve PII, and generate multiple attacker-controlled accounts.
Through Google dorking and search engines such as BeVigil, the researchers then located dozens of other applications using the same QuickBlox framework and subject to the same vulnerability. Extracting the keys was more difficult in some applications than others (through encryption or code obfuscation), but the researchers assert, “Developers can only put in obstacles to complicate recovering the application key; which will always be accessible to attackers, whether it takes five minutes to extract or two hours.”
The researchers examined how their discoveries could be used against different applications that incorporated QuickBlox. They provide a case study on Rozcom, an Israel-based provider of video intercoms for building entry. Separately investigating the Rozcom mobile app they found additional vulnerabilities and discovered that user IDs were produced by concatenating an individual building ID and the user’s telephone number.
Turning back to their QuickBlox vulnerabilities, the researchers noted, “Rozcom chose to use the user ID [the concatenation] as the user identifier in QuickBlox. And since we could leak the user database from QuickBlox we could get access to all of Rozcom users including Building IDs as well as the correlating users’ phone numbers.”
Knowing the building ID and the user phone number ultimately allowed the researchers to impersonate a legitimate user (they had also found they could obtain the user’s authorization code). “This means,” explained the researchers, “the only requirement to retrieve a user’s credentials is their phone number, which we managed to leak using the QuickBlox vulnerability. Moreover, the authentication code is static. Therefore, attackers can easily login on behalf of any user and use the application’s functionality to its extent. This allows them to open the door/gate, open video streams and more; they now fully control the intercom device remotely.”
Using the same approach on a telemedicine app (unnamed, because at the time of writing it was still vulnerable), the researchers discovered they could use the QuickBlox vulnerability to log in on behalf of any user, whether patient or doctor. They found they were able to retrieve personal information including medical history, chat history, and medical files.
“Furthermore,” warned the researchers, “because full impersonation is possible by this attack, anyone can impersonate a doctor and modify information or even communicate in real time via chat and video with real patients on the platform on behalf of an actual physician.”
This joint research into QuickBlox demonstrates the potential scale of the threat from API flaws, especially where the flaw is in a framework used by multiple vendors and multiple applications. In this instance the researchers worked closely with QuickBlox. QuickBlox has fixed the vulnerabilities via a new secure architecture design and new API. Security, however, doesn’t simply depend upon vendors’ fixes – the telemedicine application was still vulnerable at the time of writing because the developer hadn’t incorporated the vendor’s fixes.