Claroty’s Team82, Check Point reveal serious security vulnerabilities in QuickBlox chat and video framework

Researchers from Claroty’s Team82 and Check Point Research (CPR) conducted a joint research project that looked at the security of the QuickBlox software development kit (SDK) and application programming interface (API). The research identified a few major security vulnerabilities in the QuickBlox platform architecture that, if exploited, could allow hackers to access tens of thousands of applications’ user databases and put millions of user records at risk.

The researchers demonstrate exploits against multiple applications running the QuickBlox SDK under the hood, specifically against smart intercom and telemedicine applications. Used across real-time chat and video services across telemedicine, finance, and smart IoT device applications, the researchers identified two vulnerabilities (CVE-2023-31184 and CVE-2023-31185) that could endanger personal information if exploited.

“By chaining the vulnerabilities we identified with other flaws in the targeted applications, we found unique ways to carry out attacks that enabled us to remotely open doors via intercom applications, and also leak patient information from a major telemedicine platform,” Amir Preminger, Sharon Brizinov, Itay Cohen, and Oleg Ilushin, wrote in a Team82 blog post on Wednesday. “Team82 and CPR worked closely with QuickBlox to resolve all of the uncovered vulnerabilities. QuickBlox committed to the fix by designing a new, secure architecture and API, and urging its customers to migrate to the latest version.”

Researchers from Team82 and CPR also demonstrate proof-of-concept exploits against applications running the QuickBlox SDK and API. They also provide detail on a number of unique attacks that could allow a hacker to, for example, access smart intercoms and remotely open doors, or leak patient data from telemedicine applications. 

They also identified that the QuickBlox application retrieves the QB-Token and allows users to log in, providing the session and user credentials. The session is authenticated and authorized with user permissions, ensuring context and user authentication. 

“However, this way of authentication exposes a major flaw: an application session is required to create a user session. This means that each user must obtain an application session, which requires knowledge of the application’s secrets, specifically the Application ID, Authorization Key, Authorization Secret, and Account Key,” the researchers disclosed. “In order to make it technologically applicable, app developers had to make sure these secret keys are accessible to all users. When looking at applications using QuickBlox, we noticed that most of them chose to simply insert the application secrets into the application.”

The team also pointed out that when “we first noticed that the official documentation guides customers to add secrets (AUTH_KEY, AUTH_SECRET) to their applications, we felt uneasy. It’s never a good idea to hide secret authentication tokens in applications because they are considered public information and can be easily extracted using various methods, from reverse engineering to dynamic analysis with Frida.”

By default, QuickBlox settings enable application-level session users to retrieve sensitive information, getting a full list of all users using the ‘/users[dot]json’ API route; getting PII user information by ID using the API route, and creating new users. “This means that anyone who is able to extract the static QuickBlox settings from the application will be able to retrieve personal user information, below, of all application users, and also be able to create multiple attacker-controlled accounts,” the post added. 

“While this does offer some mitigation to the vulnerabilities we discovered, we discovered another way of leaking the entire application database,” according to the researchers. “By creating a rogue user account, it is possible for attackers to leak specific user information by accessing the ‘/ID[dot]json, where ID is the sequential user ID. Since QuickBlox uses sequential IDs, by simply brute-forcing a limited range, it is possible to leak all of an application’s user information. However, from a check we performed regarding this privacy setting on all of the applications we researched and retrieved the keys for, we discovered that only a handful chose to disable this API.”

To understand the full scope of the issue, the researchers decided to explore what types of applications are using QuickBlox SDK and what would be the potential risk if attackers were to extract the secret tokens. “Using various methods such as Google dorking, searches in BeVigil, and other search engines we were able to find and extract QB tokens from dozens of different applications,” they added. 

The researchers highlighted that extracting keys was not as simple as looking in the code. “In some instances, the keys were encrypted, while in others, the code was heavily obfuscated. In some extreme cases they were dynamically received encrypted from a remote server. However, regardless of the application, any app would require the secret key and somehow use it with a QuickBlox server. Developers can only put in obstacles to complicate recovering the application key; which will always be accessible to attackers, whether it takes five minutes to extract or two hours,” they added.

After extracting the tokens from each application, the researchers tried to understand how attackers could leverage their attack based on the application’s capabilities and/or further vulnerabilities in the application platform.

The researchers detailed multiple vulnerabilities in the Rozcom architecture that enabled  them to download all user databases and perform full account takeover attacks. “As a result, we were able to take over all Rozcom intercom devices, giving us full control and allowing us to access device cameras and microphones, wiretap into its feed, open doors managed by the devices, and more.”

Rozcom, for a year-and-a-half, ignored attempts to privately disclose findings with the Israeli Cyber Emergency Response Team (IL-CERT) acting as coordinator. “IL-CERT on May 4 allocated and published CVE-2023-31184, CVE-2023-31185 for the two vulnerabilities we uncovered,” according to the post.

The researchers then chose to look at a telemedicine application integrated with the QuickBlox SDK to explore its attack surface by abusing the QuickBlox vulnerabilities. “We are not disclosing the name of the app because it has yet to update to the new QuickBlox API and remains vulnerable at the time of publication,” they added. 

“This particular telemedicine platform provides chat and video services enabling patients to communicate with doctors. By combining the QuickBlox vulnerabilities alongside the specific telemedicine app vulnerabilities, we were able to leak all of its user database, along with related medical records and history stored in the application,” according to the post. “While researching the affected Android application, we were able to extract the embedded QuickBlox application keys. We could then authenticate to the QuickBlox API server, get an authentication token and obtain a user database for the application. These steps are not different from any other application that uses QuickBlox.”

In the telemedicine app, each user chooses their UserID and Password credentials used by the application. “However, we discovered through reverse-engineering that the [REDACTED] application creates a new QuickBlox user with their UserID as login and a hard-coded static password ([REDACTED] for patients, and [REDACTED] for doctors). This makes it possible to login in QuickBlox on behalf of any user—doctor or patient—and view all of their data. This includes – personal information, medical history, chat history and medical record files,” the researchers disclosed. 

Furthermore, the researchers revealed that because full impersonation is possible by this attack, “anyone can impersonate a doctor and modify information or even communicate in real time via chat and video with real patients on the platform on behalf of an actual physician. This is a very scary scenario.”

The researchers highlighted that QuickBlox worked closely with Team82 and CPR to address their disclosure, and has fixed the vulnerabilities via a new secure architecture design and new API. Customers have been urged to migrate to the latest versions of both to ensure that these vulnerabilities are addressed and users’ privacy and security ensured.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.