Researchers found the popular chat service QuickBlox exhibiting numerous security flaws. Exploiting the QuickBlox framework vulnerabilities could allow an adversary to access the users’ data from the apps’ databases. QuickBlox patched the flaw with the latest firmware release, urging users to update their systems at the earliest.
QuickBlox Framework Vulnerabilities Risked Users’ Data
According to a recent report from Check Point Research, their researchers and the Claroty Team82 team discovered numerous vulnerabilities in the QuickBlox framework.
QuickBlox is a dedicated chat and video communication service for IoT devices like telemedicine, finance, and other such mobile apps. The service boasts a considerable clientele, serving millions of customers. It also means that any vulnerabilities in the service may risk the security of millions of users.
That’s what the researchers highlighted in their post. Specifically, they noticed secret tokens and passwords stored within the app and insecure QuickBlox API design. Exploiting the vulnerabilities could let an adversary perform various malicious actions.
For instance, the researchers analyzed an Israeli-based intercom app Rozcom. They then exploited the QuickBlox framework vulnerabilities to take over the target intercom devices, access cameras and microphones, wiretap the devices’ feed, and manage door openings.
Likewise, they analyzed a popular telemedicine service, which already had some vulnerabilities. Consequently, combining the app’s issues with QuickBlox flaws allowed the researchers to access the app’s user database, including patients’ personal data, medical history, chat history with the doctors, and medical records. Besides, the flaws also allowed impersonating doctors and chatting with patients in real time without raising alarms.
In their post, the researchers have also shared the proof-of-concept exploits against the apps running QuickBlox API and SDK.
QuickBlox Patched The Flaws
Upon discovering the vulnerabilities, the researchers reported the matter to QuickBlox officials who promptly patched the flaws. Check Point Research confirmed in its post that the vendors have designed a new API and a new secure architecture for the service.
Hence now, all service providers using the QuickBlox framework must update their apps with the latest QuickBlox release immediately to receive the patches.
Let us know your thoughts in the comments.