friendlyjlee

Security Vulnerability in Infinite Design Android app

Oct 7th, 2019
1,055
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Title: Infinite Design - Cleartext Transmission of username and password
  2. # Application: Infinite Design
  3. # Version: 3.4.12
  4. # Software Link: https://play.google.com/store/apps/details?id=com.brakefield.idfree
  5. # Company: Infinite Studio Mobile
  6. # Installs: 5,000,000+
  7. # Impact: Anyone watching the network packet can obtain a username and password.
  8. # Category: Mobile Apps
  9. # Tested on : Android 9
  10.  
  11. ---Description---
  12. Infinite Design, the popular Art app downloaded more than 5 millions, sends username and password via TCP without any encryption during login. So, anyone watching the network packet can obtain a username and password. It is critical, especially in mobile phones, because mobile phones are usually used in an insecure environment such as public WiFi.
  13.  
  14. ---Vendor feedback---
  15. After reporting, the vendor have quickly fixed this problem and released a new version.
  16.  
  17. ---PoC---
  18. 1. Try to login with Infinite Design, Android app.
  19. - Going to Settings
  20. - Enter credentials. Fake information is enough for reproducing.
  21.  
  22. 2. Sniffing network packet with any capturing tool.
  23. - the captured HTTP POST message contains user email and password.
  24.  
  25. Hypertext Transfer Protocol
  26. POST /users/index.php HTTP/1.1\r\n
  27. Content-Type: application/x-www-form-urlencoded\r\n
  28. charset: utf-8\r\n
  29. Content-Length: 63\r\n
  30. User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; ...)\r\n
  31. Host: www.seanbrakefield.com\r\n
  32. Connection: Keep-Alive\r\n
  33. Accept-Encoding: gzip\r\n
  34. \r\n
  35. [Full request URI: http://www.seanbrakefield.com/users/index.php]
  36. [HTTP request 1/1]
  37. [Response in frame: 662]
  38. File Data: 63 bytes
  39. HTML Form URL Encoded: application/x-www-form-urlencoded
  40. Form item: "tag" = "login"
  41. Form item: "email" = "jaeho.lee@rice.edu"
  42. Form item: "password" = "MyPasswordIsHere!"
  43.  
  44.  
  45. ---Reporter---
  46. Jaeho Lee(Jaeho.Lee@rice.edu)
  47. Rice Computer Security Lab
  48. Rice University
RAW Paste Data