SHARE
TWEET

Security Vulnerability in Infinite Design Android app

friendlyjlee Oct 7th, 2019 (edited) 207 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Title: Infinite Design - Cleartext Transmission of username and password
  2. # Application: Infinite Design
  3. # Version: 3.4.12
  4. # Software Link: https://play.google.com/store/apps/details?id=com.brakefield.idfree
  5. # Company: Infinite Studio Mobile
  6. # Installs: 5,000,000+
  7. # Impact: Anyone watching the network packet can obtain a username and password.
  8. # Category: Mobile Apps
  9. # Tested on : Android 9
  10.  
  11. ---Description---
  12. Infinite Design, the popular Art app downloaded more than 5 millions, sends username and password via TCP without any encryption during login. So, anyone watching the network packet can obtain a username and password. It is critical, especially in mobile phones, because mobile phones are usually used in an insecure environment such as public WiFi.
  13.  
  14. ---Vendor feedback---
  15. After reporting, the vendor have quickly fixed this problem and released a new version.
  16.  
  17. ---PoC---
  18. 1. Try to login with Infinite Design, Android app.
  19.     - Going to Settings
  20.     - Enter credentials. Fake information is enough for reproducing.
  21.  
  22. 2. Sniffing network packet with any capturing tool.
  23.    - the captured HTTP POST message contains user email and password.
  24.  
  25.   Hypertext Transfer Protocol
  26.     POST /users/index.php HTTP/1.1\r\n
  27.     Content-Type: application/x-www-form-urlencoded\r\n
  28.     charset: utf-8\r\n
  29.     Content-Length: 63\r\n
  30.     User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; ...)\r\n
  31.     Host: www.seanbrakefield.com\r\n
  32.     Connection: Keep-Alive\r\n
  33.     Accept-Encoding: gzip\r\n
  34.     \r\n
  35.     [Full request URI: http://www.seanbrakefield.com/users/index.php]
  36.     [HTTP request 1/1]
  37.     [Response in frame: 662]
  38.     File Data: 63 bytes
  39.   HTML Form URL Encoded: application/x-www-form-urlencoded
  40.     Form item: "tag" = "login"
  41.     Form item: "email" = "jaeho.lee@rice.edu"
  42.     Form item: "password" = "MyPasswordIsHere!"
  43.  
  44.  
  45. ---Reporter---
  46. Jaeho Lee(Jaeho.Lee@rice.edu)
  47. Rice Computer Security Lab
  48. Rice University
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top