This hacker hacked into the TikTok clone Mitron App User’s profile in seconds
The Mitron App has been grabbing headlines lately. First, it was heralded as the Made In India alternative to the short video uploading Chinese App TikTok, and later it was found to be a cheap copy of a Pakistani version. Now a security researcher has found that he could hack into any Mitron App user profile in seconds. Considering the popularity of the Mitron App, millions of users’ privacy can be at stake due to this vulnerability.
What is Mitron?
Mitron is basically a clone of TikTok and was said to be developed by IIT Roorkee student Shivank Agarwal. Considering the anti-TikTok sentiment in India, the Mitron app has gained instant popularity. Ever since its release a month ago, the app has been downloaded over 5 million times on Android and has a Google Play rating of 4.7. Mitron App cashed in on the popular greeting by Indian Prime Minister Modi and his ‘vocal for local’ campaign.
Mitron App Pakistani Tik-Tik connection
Now it is reported that Mitron App was never really made by any IIT student in the country. The original name of the much flaunted Indian Tik-Tok alternative is Tik-Tik and it is developed by Qboxus, a Pakistani software developer company. The founder of Qboxus, Irfan Sheikh said that he sold the source code to promoters of the Mitron app for around $35 (Rs 2,600). He added that while Qboxus expects customers to use the code and build their own product, Mitron’s developers have just changed the logo of the App and uploaded it to Google Play.
Hacking Mitron App
A flaw in the Mitron App allows any potential hacker to access the user’s profile in the App without much programming knowledge. The vulnerability was discovered by a security researcher, Rahul Kankrale, and reported by The Hacker News.
Kankrale found out that the vulnerability resides in the way Mitron implemented ‘Login with Google’ feature. The feature is used by many Apps to authenticate users using the Gmail login. In this case, Kankrale found that though Mitron uses the Login with Google feature to allow the App access to the user, it doesn’t use any secret token or authorization to save it. This flaw can be used by any potential hacker to log into any targeted Mitron user profile just by knowing his or her unique user ID.
Kankrale also noted that the Mitron App user’s unique ID can be gleaned from the information available in the page source, and without entering any password. This makes millions of Mitron App users vulnerable to stalking, hacking and extortion attempts as getting the user’s unique ID using Google Dorks is an easy process.
Mitron App hacking Proof of Concept (PoC)
Kankrale does not know who to reach out to at Mitron App for patching this critical vulnerability. The App page on Google Play just lists an email id [email protected] The shopkiller.in website is hosted on an insecure website and returns an empty webpage.
At the time of writing this article, your Mitron App user information is publicly available to any noob with a little bit of programming knowledge.
It seems that the Mitron App has no connection to any IIT or any IIT student and was hyped as such to garner news headlines and users as a Made in India alternative to TikTok. So much for buying a cheap Chinese clone made by a Pakistani company.