Security Flaws Found in Software Development Kit Used for Telemedicine Services

July 12, 2023 - Claroty’s Team82 and Check Point Research (CPR) discovered critical vulnerabilities in the QuickBlox software development kit (SDK) and application programming interface (API), a framework that supports a variety of real-time chat and video services across telemedicine, finance, and smart IoT device applications. QuickBlox customers are encouraged to migrate to the latest, secure versions of the QuickBlox platform.

The two cybersecurity firms conducted a joint research project to analyze the security of the QuickBlox SDK and found two vulnerabilities (CVE-2023-31184 and CVE-2023-31185) that could endanger personal information if exploited.

“QuickBlox supplies mobile and web application developers with a SDK and APIs to deliver not only user management, real-time public and private chat features, for example, but also security features that ensure compliance with HIPAA and GDPR,” a blog post by Team82 and CPR noted.

As the foundation of many iOS, Android, and web applications, a security vulnerability in QuickBlox could allow threat actors to access user databases across thousands of applications.

The first vulnerability, CVE-2023-31184, involves the use of hard-coded credentials. Both vulnerabilities have CVSS scores of 8.0 and had the potential to allow information disclosure via an unspecified request.

“By chaining the vulnerabilities we identified with other flaws in the targeted applications, we found unique ways to carry out attacks that enabled us to remotely open doors via intercom applications, and also leak patient information from a major telemedicine platform,” researchers stated.

Team82 and CPR provided detailed proof-of-concept exploits against applications that run the QuickBlox SDK and API, showing the vulnerability’s potential to impact organizations across multiple industries.

One proof-of-concept exploit focused on a popular, unnamed telemedicine application integrated with the QuickBlox SDK. The researchers chose not to release the name of the platform because it had not updated to the new QuickBlox API at the time of publication, meaning that it remains vulnerable.

“While researching the affected Android application, we were able to extract the embedded QuickBlox application keys. We could then authenticate to the QuickBlox API server, get an authentication token and obtain a user database for the application,” the blog post explained.

The configurations of this telemedicine app make it possible to login in QuickBlox on behalf of doctors and patients and view all their personal data.

“Furthermore, because full impersonation is possible by this attack, anyone can impersonate a doctor and modify information or even communicate in real time via chat and video with real patients on the platform on behalf of an actual physician,” the post added.

The proof-of-concept exploit exemplified the far-reaching effects that a vulnerability of this scale can have on healthcare data security.

Team82 and CPR worked with QuickBlox to resolve the vulnerabilities, and QuickBlox designed a new, secure architecture and API. QuickBlox customers have been urged to migrate to the latest versions of the QuickBlox platform and new API as soon as possible.