Application developers using the QuickBlox software development kit and application programming interface for chat and video applications are being urged to update the framework as soon as possible to close serious vulnerabilities.
QuickBlox is often used under the hood of popular iOS, Android and web chat and video applications in critical industries such as finance and telemedicine. The framework delivers not only user management, real-time public and private chat features but also security features that ensure compliance with regulations in a number of countries around the world. That’s why researchers at Check Point Software and Claroty said Wednesday the holes “could put the personal information of millions of users at risk.”
A threat actor could leverage the vulnerabilities to get hard-coded keys, and access smart intercoms and remotely open doors, or leak patient data from telemedicine applications, says the researchers’ report.
The report says an Israeli company that used QuickBlox to create a video communications application for buildings ignored researchers’ warnings of flaws in its solution that allowed the researchers to compromise it.
One vulnerability is in the login and authentication process that all developers need to use for the QuickBlox platform. An application session is required to create a user session. “This means,” say the researchers, “that each user must obtain an application session, which requires knowledge of the application’s secrets, specifically the Application ID, Authorization Key, Authorization Secret, and Account Key. In order to make it technologically applicable, app developers had to make sure these secret keys are accessible to all users. When looking at applications using QuickBlox, we noticed that most of them chose to simply insert the application secrets into the application.”
“It’s never a good idea to hide secret authentication tokens in applications because they are considered public information and can be easily extracted using various methods, from reverse engineering to dynamic analysis,” says the report.
By default, the report says, QuickBlox settings allow anyone with an application-level session to retrieve sensitive information such as a full list of all users, personal information of all users of the app and the ability to create new users. And while application owners can limit the application-level API access using an inner-settings menu, by creating a rogue user account, an attacker could access specific user information by accessing the /ID.json.
ID numbers created by QuickBlox are sequential, which leaves passwords open to a brute-force attack.
QuickBlox has now released a new secure architecture for its platform, and a new API.