Mitron, a TikTok’s spin-off that’s been controversial in India, has just another issue reported. A cybersecurity researcher reported the app has a login vulnerability that can be used to hijack an account and use it for impersonation attacks. Further, it’s reported to be sending its traffic over unsecured protocol, which can let hackers intercept and snoop on communications. The maker of this app is yet to release a patch for this.
The Initial Backlash
After the Indian youth fought over YouTube vs TikTok virtual war earlier this month, a similar app called Mitron raised seeking strong attention. Mitron was initially called to be an Indian origin, we a student from IIT Roorkee has made this TikTok spin-off for Indians.
Further, as India’s Prime Minister advised to use the local products for boosting the domestic economy, netizens have turned to Mitron which satisfies both situations as migrating from Chinese TikTok and being Indian.
Well, this didn’t last long. A report from Gadgets 360 yesterday has claimed that Mitron is made upon Pakistan’s infrastructure, thus not Indian! A software company called Qboxus has made a TikTok spin-off called Tic Tic in Pakistan, which sold its source code to an Indian for just $34! And that’s how Mitron rose, without any significant changes but on name and logo.
Hijacking Accounts For Impersonation
And now, a cybersecurity researcher named Rahul Kankrale showed how this app’s insecure to use. He demonstrated through a video that, Mitron has a login vulnerability that allows an adversary to take over accounts and like, message, comment, and follow someone on behalf of the victim! The app’s using a unique User ID that can be pulled out from its code and used for fake logging in.
Though it asks for Google account to make an account, it still uses the unique User ID it created for logging in. Further, it’s also blamed for transporting its traffic over non-SSL protocol, thus in danger of intercepting communications. This flaw was even recorded in actual TikTok too!
Since the maker’s authenticity of this app is yet to be verified, we, just like others, don’t recommend using this app for now.
Via: Gadgets 360