Security Vulnerability in Infinite Design Android app
friendlyjlee Oct 7th, 2019 (edited) 207 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
- # Title: Infinite Design - Cleartext Transmission of username and password
- # Application: Infinite Design
- # Version: 3.4.12
- # Software Link: https://play.google.com/store/apps/details?id=com.brakefield.idfree
- # Company: Infinite Studio Mobile
- # Installs: 5,000,000+
- # Impact: Anyone watching the network packet can obtain a username and password.
- # Category: Mobile Apps
- # Tested on : Android 9
- Infinite Design, the popular Art app downloaded more than 5 millions, sends username and password via TCP without any encryption during login. So, anyone watching the network packet can obtain a username and password. It is critical, especially in mobile phones, because mobile phones are usually used in an insecure environment such as public WiFi.
- ---Vendor feedback---
- After reporting, the vendor have quickly fixed this problem and released a new version.
- 1. Try to login with Infinite Design, Android app.
- - Going to Settings
- - Enter credentials. Fake information is enough for reproducing.
- 2. Sniffing network packet with any capturing tool.
- - the captured HTTP POST message contains user email and password.
- Hypertext Transfer Protocol
- POST /users/index.php HTTP/1.1\r\n
- Content-Type: application/x-www-form-urlencoded\r\n
- charset: utf-8\r\n
- Content-Length: 63\r\n
- User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; ...)\r\n
- Host: www.seanbrakefield.com\r\n
- Connection: Keep-Alive\r\n
- Accept-Encoding: gzip\r\n
- [Full request URI: http://www.seanbrakefield.com/users/index.php]
- [HTTP request 1/1]
- [Response in frame: 662]
- File Data: 63 bytes
- HTML Form URL Encoded: application/x-www-form-urlencoded
- Form item: "tag" = "login"
- Form item: "email" = "email@example.com"
- Form item: "password" = "MyPasswordIsHere!"
- Jaeho Lee(Jaeho.Lee@rice.edu)
- Rice Computer Security Lab
- Rice University
RAW Paste Data