QuickBlox app developers urged to update platform to close serious holes

Application developers using the QuickBlox software development kit and application programming interface for chat and video applications are being urged to update the framework as soon as possible to close serious vulnerabilities.

QuickBlox is often used under the hood of popular iOS, Android and web chat and video applications in critical industries such as finance and telemedicine. The framework delivers not only user management, real-time public and private chat features but also security features that ensure compliance with regulations in a number of countries around the world. That’s why researchers at Check Point Software and Claroty said Wednesday the holes “could put the personal information of millions of users at risk.”

A threat actor could leverage the vulnerabilities to get hard-coded keys, and access smart intercoms and remotely open doors, or leak patient data from telemedicine applications, says the researchers’ report.

The report says an Israeli company that used QuickBlox to create a video communications application for buildings ignored researchers’ warnings of flaws in its solution that allowed the researchers to compromise it.

One vulnerability is in the login and authentication process that all developers need to use for the QuickBlox platform. An application session is required to create a user session. “This means,” say the researchers, “that each user must obtain an application session, which requires knowledge of the application’s secrets, specifically the Application ID, Authorization Key, Authorization Secret, and Account Key. In order to make it technologically applicable, app developers had to make sure these secret keys are accessible to all users. When looking at applications using QuickBlox, we noticed that most of them chose to simply insert the application secrets into the application.”

“It’s never a good idea to hide secret authentication tokens in applications because they are considered public information and can be easily extracted using various methods, from reverse engineering to dynamic analysis,” says the report.

By default, the report says, QuickBlox settings allow anyone with an application-level session to retrieve sensitive information such as a full list of all users, personal information of all users of the app and the ability to create new users. And while application owners can limit the application-level API access using an inner-settings menu, by creating a rogue user account, an attacker could access specific user information by accessing the /ID.json.  ID numbers created by QuickBlox are sequential, which leaves passwords open to a brute-force attack.

QuickBlox has now released a new secure architecture for its platform, and a new API.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.