The Hacker News reports that Indian security specialist Rahul Kankral discovered a critical vulnerability in the Mitron Android application, which is a TikTok clone. The vulnerability allows you to capture other people’s accounts without any user interaction.
More recently, the Mitron app hit the headlines with over 5 million installations and over 250,000 five-star ratings in just 48 days after being released on the Google Play Store.
Interestingly, although Mitron is positioned as an Indian application, it was not developed in India.
“The application was not developed at all from scratch, instead, someone bought a ready-made solution and simply renamed it. In fact, Mitron is a repackaged version of the TicTic app, created by a Pakistani development company, Qboxus, which sells ready-to-use clones of TikTok, musical.ly, Dubsmash and other similar services”, – noted The Hacker News reporters.
Who exactly is standing behind Mitron is still unclear, but many assume that the application belongs to a former student of the Indian Institute of Technology.
Although Mitron is not a product of any large company and was not created in India, the application quickly gained popularity in the country, not least thanks to the initiative of the Prime Minister Narendra Modi, aimed at making India more independent. This generated a wave of calls to boycott Chinese services and products, and hashtags such as #tiktokban and #IndiansAgainstTikTok have become trending.
As a result, the fact that TikTok is a Chinese application and rumors that it may misuse user data and trace users, unfortunately, have pushed millions of people to switch to a much more dangerous alternative.
“Mitron contains a critical and extremely easy to use vulnerability that allows bypassing authentication for any user account in a few seconds. The root of the problem is how the Login with Google function is implemented in the application, which, during login, asks users for permission to access their Google profile data, but does not use this information and does not create secret authentication tokens”, – say The Hacker News magazine.
In essence, because of the vulnerability, it is possible to log into any Mitron user account simply knowing its unique ID (without entering a password), which is classified as public information and it will not be difficult to recognize it. This is what the researcher demonstrates in the video below.
Representatives of Qboxus, who actually created TicTic (and therefore Mitron), told the media that the company only sells source codes that customers must configure themselves. The company also noted that they are very worried by the fact that the application is positioned as Indian (which is not true) and distributed without any changes in the code.
It is still not clear whether the developers are going to fix the vulnerability in their code and notify other buyers about the problem. The fact is that more than 250 other developers have already purchased TicTic code, and these clones can also be affected by the same vulnerability.
The researcher that discovered the problem in Mitron tried to report the bug to the application owner, but it turned out that the email address specified in the Google Play Store does not work. There are no other ways to contact the clone buyer, and the web server home page (shopkiller.in), which hosts the application infrastructure, is empty.
The expert urges all Mitron users to urgently remove the application and revoke permission to access the Google profile.
However, the original Chinese TikTok is not perfectly safe – I have already told you that the researchers managed to hack TikTok using SMS.