# Title: Infinite Design - Cleartext Transmission of username and password
# Application: Infinite Design
# Version: 3.4.12
# Software Link: https://play.google.com/store/apps/details?id=com.brakefield.idfree
# Company: Infinite Studio Mobile
# Installs: 5,000,000+
# Impact: Anyone watching the network packet can obtain a username and password.
# Category: Mobile Apps
# Tested on : Android 9
Infinite Design, the popular Art app downloaded more than 5 millions, sends username and password via TCP without any encryption during login. So, anyone watching the network packet can obtain a username and password. It is critical, especially in mobile phones, because mobile phones are usually used in an insecure environment such as public WiFi.
After reporting, the vendor have quickly fixed this problem and released a new version.
1. Try to login with Infinite Design, Android app.
- Going to Settings
- Enter credentials. Fake information is enough for reproducing.
2. Sniffing network packet with any capturing tool.
- the captured HTTP POST message contains user email and password.
Hypertext Transfer Protocol
POST /users/index.php HTTP/1.1\r\n
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; ...)\r\n
[Full request URI: http://www.seanbrakefield.com/users/index.php]
[HTTP request 1/1]
[Response in frame: 662]
File Data: 63 bytes
HTML Form URL Encoded: application/x-www-form-urlencoded
Form item: "tag" = "login"
Form item: "email" = "firstname.lastname@example.org"
Form item: "password" = "MyPasswordIsHere!"
Rice Computer Security Lab