API Flaw in QuickBlox Framework Exposed PII of Millions of Users
An Overview
A research conducted by the Claroty Team82 and Check Point Research (CPR) has revealed critical vulnerabilities in the widely used QuickBlox software development kit (SDK) and application programming interface (API) that threaten the personal information of millions of users. QuickBlox SDK and API are commonly used in chat and video applications across various industries, including telemedicine, smart IoT, and finance.
The researchers discovered that developers using the QuickBlox framework needed to create a QuickBlox account, which provided the necessary credentials for the application. However, the process of retrieving the QB-Token, which is used for API requests, required the knowledge of application credentials. Unfortunately, these credentials are typically inserted into the application and can be easily extracted by attackers.
The API vulnerabilities discovered by the researchers allowed attackers with an application-level session to access user databases, retrieve personally identifiable information (PII), and create multiple attacker-controlled accounts. The researchers also found multiple applications using the same QuickBlox framework that were subject to the same vulnerabilities.
Implications of the Flaw
The researchers conducted a case study on Rozcom, an Israel-based provider of video intercoms for building entry, to demonstrate how the QuickBlox vulnerabilities could be exploited. By leaking user databases from QuickBlox, the researchers were able to gain access to all of Rozcom’s users, including building IDs and users’ phone numbers. With this information, the researchers were able to impersonate legitimate users, control intercom devices remotely, and access video streams.
The researchers also tested the QuickBlox vulnerabilities on a telemedicine app, where they were able to log in on behalf of any user, whether a patient or doctor, and retrieve personal information such as medical history, chat history, and medical files. They even found they could fully impersonate a doctor and modify information or communicate with patients in real time through the app.
These findings demonstrate the significant potential for harm when API flaws are present in a widely used framework like QuickBlox, especially when it is used by multiple vendors and applications. The researchers worked closely with QuickBlox to address and fix the vulnerabilities, but the responsibility for implementing these fixes lies with the individual developers using the framework.
The Importance of Security Measures
This research serves as a reminder of the importance of robust security measures in software development, especially when it comes to protecting user data. While vendors like QuickBlox play a crucial role in addressing vulnerabilities, developers must also take responsibility for integrating the necessary security measures into their applications.
Implementing encryption and code obfuscation can make it more difficult for attackers to extract application credentials. However, as the researchers point out, developers can only create obstacles to complicate the process, but attackers will always find a way to access the application key, whether it takes minutes or hours.
The Role of Vendors and Developers
Security is a collective effort between vendors and developers. Vendors like QuickBlox must strive to regularly assess and update their frameworks to identify and address vulnerabilities. They should also provide clear and accessible guidelines on how developers can integrate these security updates into their applications. QuickBlox has already fixed the vulnerabilities identified in their framework through a new secure architecture design and API.
On the other hand, developers have a responsibility to stay informed about potential vulnerabilities in the frameworks they use. They should regularly update their applications with the latest security patches and fixes provided by the vendors. Additionally, developers should consider implementing additional security measures, such as multi-factor authentication and encryption, to further protect user data.
Lessons Learned
The recent discovery of vulnerabilities in the QuickBlox SDK and API highlights the importance of thorough security assessments and regular updates in software development. It also underscores the need for strong security practices that focus on protecting user data at every level.
When considering the use of third-party frameworks or APIs, developers must conduct thorough assessments to ensure their security. They should prioritize frameworks and vendors that have a reputation for prioritizing security and regularly addressing vulnerabilities.
Ultimately, users’ personal information should be treated as sacred, with developers and vendors taking every possible precaution to protect it.
<< photo by Travis Saylor >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Exploring the Security Risks: An In-Depth Look at the Rockwell Automation ControlLogix Bugs
- The Risks and Responsibilities of AI: Civil Society and Labor Groups Speak Out at White House Meeting
- Console & Associates, P.C.: Analyzing the HCA Healthcare Data Breach and Its Impact on 11M Patients
- Can Killnet Successfully Boost Russian Hacktivist Influence Through Media Stunts?
- Cybersecurity Strategy in Action: Examining the White House’s Implementation Plan
- Industrial Chaos: The Looming Threat of Rockwell Automation’s Critical RCE Bug
- The Rise of Identity as a Service: Okta, Ping Identity, CyberArk, and Oracle at the Forefront
- Is Cisco’s Acquisition of Oort ID Threat Detection Tech a Game-Changer?
Title: Cisco’s Latest Shopping Spree: Harnessing Oort ID Threat Detection Tech
- The Vulnerable Honeywell DCS Platform: An Industrial Organization’s Achilles’ Heel
- “FTC Caught in the Crossfire: Twitter, Republicans, and the Battle for Privacy”
- The Rise of Supercookies: Unveiling the Dark Side of Online Surveillance
- The Great Wall Breached: Chinese APT Targets Government Agencies with Microsoft Outlook Email Hack
- Chinese Hackers Breach US Government Agencies, Exposing Sensitive Email Data
- Bangladesh’s Data Security Crisis: Personal Information Exposed on Government Website
- The Growing Concern: US Agencies’ Acquisitions of Personal Information and the Implications for Privacy in the Age of AI
- LetMeSpy: A Major Data Breach Compromises Users’ Personal Information
