The Indian video sharing app, called Chingari, is available for Android and iOS smartphones through official app stores, designed to let users record short-form videos, catch up on the news, and connect with other users via a direct message feature.
Originally launched in November 2018, Chingari has witnessed a huge surge in popularity over the past few days in the wake of India's ban on Chinese-owned apps late last month, crossing 10 million downloads on the Google Play Store in under a month.
The Indian government recently banned 59 apps and services, including ByteDance's TikTok, Alibaba Group's UC Browser and UC News, and Tencent's WeChat over privacy and security concerns.
While these apps have been delisted from Apple and Google's app stores, several home-grown alternatives, such as InMobi Group's Roposo, Chingari, and Mitron, have ramped up their efforts to cash in on the void left by TikTok.
Any Chingari User Account Can Be Hijacked in Seconds
The Chingari app for iOS and Android asks users to register an account by granting basic profile access to their Google accounts, which is a standard part of OAuth-based authentication.
However, according to Girish Kumar, a cybersecurity researcher at Encode Middle East firm in Dubai, Chingari uses a randomly generated user ID to fetch respective profile information and other data from its server without relying on any secret token for user authentication and authorization.
As demonstrated in the video Kumar shared with The Hacker News, not only can this user ID be easily retrieved, it can be used by an attacker to replace a victim's user ID in HTTP requests to gain access to the account information.
"The attack doesn't require any interaction from the targeted users and can be performed against any profile to change their account settings or upload content of the attacker's choice," Kumar told The Hacker News in an email interview.
As The Hacker News revealed back in May, Mitron suffered from exactly the same flaw, allowing anyone with access to the unique user ID to login to the account without entering any password.
"Once a victim's account is compromised using the method shown in video an attacker can change username, name, status, DOB, country, profile picture, upload/delete user videos etc. in short access to the entire account," Kumar said.
That's not all. A separate feature in Chingari that allows users to turn off video sharing and comments can be simply bypassed by tweaking the HTTP response code ({"share":false,"comment":false}), thus making it possible for a malicious party to share and comment on restricted videos.
Chingari Patch Update To Be Released Today
Kumar responsibly disclosed the issue to the makers of Chingari earlier this week, and the company in response acknowledged the vulnerability.
The Hacker News also reached out to Sumit Ghosh, founder of Chingari, who confirmed to the publication that the issue will be patched with Chingari version 2.4.1 for Android and 2.2.6 for iOS, that's expected to be rolled out to millions of its users via Google Play Store and Apple app store starting today.
Besides this, to protect users who don't update their app on time, the company has decided to disable access to the back-end APIs from older versions of the app.
If you are a Chingari user, it's highly recommended that you update the app as soon as the latest version is available to avoid potential misuse.
In a separate incident, a french researcher earlier this month spotted that the website of Globussoft, the company behind Chingari, had also been compromised to host malware scripts, redirecting its users to malicious pages.
Such an unfortunate state of security highlights that embracing indigenous apps for the sake of nationalism is one thing, but apps, especially for non-tech-savvy users, must be tested rigorously while keeping privacy and security in mind.
Not A Data Breach!
UPDATE — After The Hacker News report, some media publications have covered the same incident as a 'data breach,' which categorically is incorrect.
That's because the disclosed vulnerability doesn't allow attackers to steal a victim's personal information stored on the company servers; instead, it could have been exploited to tamper with or breach a targeted account.
Moreover, since Chingari doesn't ask its users to enter any personal information or a password, and uses 'sign in with Google' without even storing their email addresses, all an attacker could do is defacement or misuse someone's account to spread misinformation or inappropriate content.
A spokesperson for the company told The Hacker News that the Chingari team patched the vulnerability within 24 hours after researchers reported it to the company, and have found no evidence of any misuse or data compromise.
