Quick Hits

QuickBlox API Vulnerabilities Open Video, Chat Users to Data Theft

QuickBlox users should update to the latest version of the platform in order to protect against several avenues of exploitation.

After digging into QuickBlox's software development kit and application programming interface (API), Team 82 alongside Check Point Research found that there were critical vulnerabilities putting the personal data of millions of people at risk.

QuickBlox is a chat and video calling platform in use across various industries, including finance and telemedicine. In researching the platform's vulnerabilities, Team 82 and Check Point Research pioneered several proof-of-concept exploits for applications running the API. 

The teams also provided examples of how secret tokens and passwords in the QuickBlox architecture could allow threat actors to source information about QuickBlox users. The researchers found unique ways to exploit these vulnerabilities and carry out potential attacks, ultimately allowing them to remotely open doors using intercom features or leak patient information from a telemedicine platform.

Team82 and Check Point Research worked with QuickBlox to find solutions to the issues, including new architecture for its platform and a whole new API. Users of QuickBlox are advised to migrate to the latest versions for both updates.