The latest social media craze Mitron app has a critical vulnerability. As discovered, the bug allows an adversary to takeover any account within minutes. What’s critical is that no patch is yet available for the vulnerability.
Mitron App Vulnerability Discovered
Security researcher Rahul Kankrale has discovered a critical and easily exploitable vulnerability in the Mitron app.
Sharing the details the researcher revealed that the problem exists with the ‘Login with Google’ feature.
Briefly, the feature that requires users’ permission to access profile information does not create any private authentication tokens. Hence, anyone knowing a target users’ unique userID (publicly displayed in the page source) can easily take over the account.
The researcher has shared the quick steps to reproduce the exploit in his blog post. Whereas, the following video demonstrates the attack scenario.
No Patch Available, Plus Dubious Security
According to the researcher, he tried to contact the developers, but he couldn’t.
Already tried to contact developer but they are not reachable (email bounced).
Thus, the bug remains unpatched (until the time of writing this article) making all the users vulnerable to hacking attacks, since the PoC is also available.
Mitron is a social video app similar to TikTok. It took the social media world by storm after TikTok faced the wrath of Indian users due to data security, and other ethical and moral issues.
Although, Mitron isn’t specifically an Indian app. Rather it is loosely based on code from a Pakistani developers’ team QBoxus, as reported by News18. However, it seems this was not known earlier when the app surfaced online.
Hence, the name of the app ‘Mitron’ (a popular Hindi word which means ‘friends’) sufficed to attract a huge userbase within a short time who mistook this app as an Indian alternative to the Chinese TikTok.
Presently, Mitron boasts over 5 million users on Google Play Store. It means this vulnerability has risked the security of millions of users who cannot even delete their accounts.
However, they can certainly revoke the app permission to access their Google accounts.
Moreover, the app also comes with numerous privacy issues, such as a bogus privacy policy, an invalid contact email (as experienced by Kankrale), no transparent security measures for users’ data, and anonymous app owners (the privacy policy merely states the developers to be registered in Bengaluru).
Therefore, users should ideally stop using this app to protect their privacy and security.
Let us know your thoughts in the comments.
