Mitron is not really a 'Made in India' product, and the viral app contains a highly critical, unpatched vulnerability that could allow anyone to hack into any user account without requiring interaction from the targeted users or their passwords.
I am sure many of you already know what TikTok is, and those still unaware, it's a highly popular video social platform where people upload short videos of themselves doing things like lip-syncing and dancing.
The wrath faced by Chinese-owned TikTok from all directions—mostly due to data security and ethnopolitical reasons—gave birth to new alternatives in the market, one of which is the Mitron app for Android.
Mitron video social platform recently caught headlines when the Android app crazily gained over 5 million installations and 250,000 5-star ratings in just 48 days after being released on the Google Play Store.
Popped out of nowhere, Mitron is not owned by any big company, but the app went viral overnight, capitalizing on its name that is popular in India as a commonly used greeting by Prime Minister Narendra Modi.
Besides this, PM Modi's latest 'vocal for local' initiative to make India self-reliant has indirectly set up a narrative in the country to boycott Chinese services and products, and of course, #tiktokban and #IndiansAgainstTikTok hashtags trending due to TikTok vs. YouTube battle and CarryMinati roast video also rapidly increased the popularity of Mitron.
Any Mitron Users Account Can Be Hacked in Seconds
The insecurity that TikTok is a Chinese app and might have allegedly been abusing its users' data for surveillance, unfortunately, turned millions into signing up for less trusted and insecure alternative blindly.
The Hacker News learned that the Mitron app contains a critical and easy-to-exploit software vulnerability that could let anyone bypass account authorization for any Mitron user within seconds.
The security issue discovered by Indian vulnerability researcher Rahul Kankrale resides in the way app implemented 'Login with Google' feature, which asks users' permission to access their profile information via Google account while signing up but, ironically, doesn't use it or create any secret tokens for authentication.
In other words, one can log into any targeted Mitron user profile just by knowing his or her unique user ID, which is a piece of public information available in the page source, and without entering any password—as shown in a video demonstration Rahul shared with The Hacker News.
Mitron App Was Not Developed; Instead Bought For Just $34
Promoted as a homegrown competitor to TikTok, in separate news, it turns out that the Mitron app has not been developed from scratch; instead, someone purchased a ready-made app from the Internet, and simply rebranded it.
While reviewing the app's code for vulnerabilities, Rahul found that Mitron is actually a re-packaged version of the TicTic app created by a Pakistani software development company Qboxus who is selling it as a ready-to-launch clone for TikTok, musical.ly or Dubsmash like services.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
In an interview with the media, Irfan Sheikh, CEO of Qboxus, said his company sells the source code, which the buyers are expected to customize.
"There is no problem with what the developer has done. He paid for the script and used it, which is okay. But, the problem is with people referring to it as an Indian-made app, which is not true, especially because they have not made any changes," Irfan said.
Besides Mitron's owner, more than 250 other developers have also purchased the TicTic app code since last year, potentially running a service that can be hacked using the same vulnerability.
Who is Behind the Mitron App? An Indian or a Pakistani?
Though the code has been developed by the Pakistani company, real identity of the person behind the Mitron app—TicTic at heart TikTok by face—has yet not been confirmed; however, some reports suggest it's owned by a former student of the Indian Institute of Technology (IIT Roorkee).
Rahul told The Hacker News that he tried responsibly reporting the flaw to the app owner but failed as the email address mentioned on the Google Play Store, the only point of available contact, is non-operational.
Besides this, the homepage for the web server (shopkiller.in), where the backend infrastructure of the app is hosted, is also blank.
Considering that the flaw actually resides in the TicTic app code and affects any other similar cloned service running out there, The Hacker News has reached out to Qboxus and disclosed details of the flaw before publishing this story.
We will update this article when we receive a response.
Is Mitron App Safe to Use?
In short, since:
- the vulnerability has not yet been patched,
- the owner of the app is unknown,
... it's highly recommended to simply do not install or use the untrusted application.
If you're among those 5 million who have already created a profile with the Mitron app and granted it access to your Google profile, revoke it immediately.
Unfortunately, there's no way you can delete your Mitron account yourself, but the hacking of Mitron user profile would not severely impact unless you have at least a few thousand followers on the platform.
However, keeping an untrusted app installed on your smartphone is not a good idea and could put your data from other apps and sensitive information stored on it at risk, so users are advised to uninstall the app for good.