Vulnerabilities Identified in Popular Telemedicine Software Development Kit
Security flaws have been identified in the QuickBlox software development kit (SDK) and application programming interface (API) that supports the real-time chat and video applications used by many telemedicine providers.
The vulnerabilities were identified by security researchers from Claroty’s Team82 and Check Point Research who collaborated to look into the security of the popular QuickBlox SDK and API, which support applications used in telemedicine, finance, and smart IoT device applications. The SDK and API are provided to mobile and web application developers to deliver user management, real-time public and private chats, and incorporate security features to support HIPAA and GDPR compliance.
The researchers identified two vulnerabilities that put sensitive data at risk, including protected health information (PHI). Given the extent to which the QuickBlox chat and video framework is used, the sensitive information of millions of individuals was at risk of exposure. CVE-2023-311847 is a high-severity flaw with a CVSS 3.1 base score of 7.8 and is due to the creation of hard-coded credentials. The second vulnerability, tracked as CVE-2023-31185, is a high-severity flaw with a CVSS 3.1 base score of 7.5 and allows information disclosure via an unspecified request.
The vulnerabilities make it possible to log in to QuickBlox on behalf of any user – doctor or patient – and view all of their data, including personal information, medical histories, chat histories, and medical record files. The researchers say full impersonation is also possible, so a malicious actor could log in as any doctor, modify information, and communicate in real-time via chat and video with real patients. The patient would be unaware that they were not chatting with a real physician. The researchers developed proof-of-concept exploits for the vulnerabilities against multiple applications and demonstrated how secret tokens and passwords embedded in applications along with the use of an insecure QuickBlox API would allow malicious actors to gain access to the PHI of millions of users.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The researchers looked at a popular telemedicine application that integrates with the QuickBlox SDK and provides chat and video services allowing patients to communicate with doctors. The researchers were able to exploit the QuickBlox vulnerabilities alongside specific telemedicine app vulnerabilities, and gain access to the entire user database, along with related medical records and medical histories stored in the application. They were also able to log in as any user, making it possible to impersonate a doctor. At the time of publication, the telemedicine application was still running the vulnerable versions of the framework.
Team82 and CPR worked closely with QuickBlox to resolve the identified vulnerabilities. QuickBlox has now designed a new, secure architecture and API to eliminate the vulnerabilities. All users should ensure they migrate to the latest version as soon as possible to the flaws being exploited.
