Connect with us

Hi, what are you looking for?


Application Security

API Flaw in QuickBlox Framework Exposed PII of Millions of Users

QuickBlox SDK and API vulnerabilities impact chat and video applications used by industries including telemedicine, smart IoT, and finance.

Research into the widely used QuickBlox SDK and API led to the discovery of critical vulnerabilities built into chat and video applications used by industries including telemedicine, smart IoT, and finance.

The researchers from Claroty Team82 and Check Point Research (CPR) developed PoC exploits demonstrating that these vulnerabilities threatened the personal information of millions of users. They found they could access smart intercoms and remotely open doors, or leak patient data from telemedicine applications.

Developers using the QuickBlox framework must first create a QuickBlox account. This provides the credentials that will be used for the application, and a QB-Token that is used in further API requests.

When the application retrieves the QB-Token, users log in with both the application session and user credentials. However, the process requires the user to know the application credentials — which are usually simply inserted into the application and easily extracted by attackers.

Turning to the API, “We discovered a few critical vulnerabilities in the QuickBlox API that could allow attackers to leak the user database from many popular applications,” report the researchers. They found that anyone with an application-level session could obtain a list of users, retrieve PII, and generate multiple attacker-controlled accounts.

Through Google dorking and search engines such as BeVigil, the researchers then located dozens of other applications using the same QuickBlox framework and subject to the same vulnerability. Extracting the keys was more difficult in some applications than others (through encryption or code obfuscation), but the researchers assert, “Developers can only put in obstacles to complicate recovering the application key; which will always be accessible to attackers, whether it takes five minutes to extract or two hours.”

Advertisement. Scroll to continue reading.

The researchers examined how their discoveries could be used against different applications that incorporated QuickBlox. They provide a case study on Rozcom, an Israel-based provider of video intercoms for building entry. Separately investigating the Rozcom mobile app they found additional vulnerabilities and discovered that user IDs were produced by concatenating an individual building ID and the user’s telephone number.

Turning back to their QuickBlox vulnerabilities, the researchers noted, “Rozcom chose to use the user ID [the concatenation] as the user identifier in QuickBlox. And since we could leak the user database from QuickBlox we could get access to all of Rozcom users including Building IDs as well as the correlating users’ phone numbers.” 

Knowing the building ID and the user phone number ultimately allowed the researchers to impersonate a legitimate user (they had also found they could obtain the user’s authorization code). “This means,” explained the researchers, “the only requirement to retrieve a user’s credentials is their phone number, which we managed to leak using the QuickBlox vulnerability. Moreover, the authentication code is static. Therefore, attackers can easily login on behalf of any user and use the application’s functionality to its extent. This allows them to open the door/gate, open video streams and more; they now fully control the intercom device remotely.”

A diagram of a building with a cloud

Description automatically generated

Using the same approach on a telemedicine app (unnamed, because at the time of writing it was still vulnerable), the researchers discovered they could use the QuickBlox vulnerability to log in on behalf of any user, whether patient or doctor. They found they were able to retrieve personal information including medical history, chat history, and medical files.

“Furthermore,” warned the researchers, “because full impersonation is possible by this attack, anyone can impersonate a doctor and modify information or even communicate in real time via chat and video with real patients on the platform on behalf of an actual physician.”

This joint research into QuickBlox demonstrates the potential scale of the threat from API flaws, especially where the flaw is in a framework used by multiple vendors and multiple applications. In this instance the researchers worked closely with QuickBlox. QuickBlox has fixed the vulnerabilities via a new secure architecture design and new API. Security, however, doesn’t simply depend upon vendors’ fixes – the telemedicine application was still vulnerable at the time of writing because the developer hadn’t incorporated the vendor’s fixes.

Related: OWASP’s 2023 API Security Top 10 Refines View of API Risks

Related: JumpCloud Says All API Keys Invalidated to Protect Customers

Related: Google Improves Android Security With New APIs

Related: Azure API Management Vulnerabilities Allowed Unauthorized Access

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.