In today's digital age, fitness app development plays a vital role in providing users with secure and personalized experiences. However, recent research has uncovered major security flaws in QuickBlox, a popular chat and video framework used by millions of people globally.

As part of an ongoing effort to improve user security, Team82 Research collaborated with Check Point Research (CPR) to conduct a joint research project on the security of the QuickBlox software development kit (SDK) and application programming interface (API). Our findings revealed critical vulnerabilities that could put sensitive data of millions at risk.

The Risks Revealed

Our investigation exposed several major security flaws in the QuickBlox platform architecture, which if exploited, could allow threat actors to access tens of thousands of applications' user databases. This means that millions of user records are at risk of being compromised. By chaining these vulnerabilities with other flaws in targeted applications, we discovered unique ways to carry out attacks that enabled us to remotely open doors via intercom applications and leak patient information from major telemedicine platforms.

The QuickBlox Framework

QuickBlox is a chat and video calling platform for developing iOS, Android, and web applications. It provides an API for authentication, user management, chat, and messaging, file management, etc., and an easy-to-use SDK that enables voice and video features. Our research began by exploring the framework and various applications that use it.

The Flawed Authentication Process

Our investigation revealed a major flaw in the QuickBlox authentication process. Developers must create a QuickBlox account, generate application credentials (Application ID, Authorization Key, Authorization Secret, and Account Key), and then obtain an application session to authenticate users. However, this process exposes sensitive information, making it vulnerable to extraction.

The Critical Vulnerabilities

We discovered that most applications using QuickBlox insert these secret keys into their applications, making them accessible to all users. This allowed us to exploit the vulnerabilities in the QuickBlox API, which could allow attackers to:

  • Retrieve a full list of all users
  • Get PII user information by ID
  • Create new users

The Fix and Resolution

QuickBlox worked closely with Team82 and CPR to address our findings. They committed to fixing the vulnerabilities by designing a new, secure architecture and API, urging customers to migrate to the latest version.

In conclusion, fitness app development plays a critical role in providing users with secure experiences. Our research highlights the importance of securing authentication processes and APIs to prevent sensitive data breaches. By working together, we can ensure that users' personal information remains protected.