Vulnerabilities and Owner Claims of so called Indian app rival for China's TikTok




Mitron which is a viral app contains a highly critical, unpatched vulnerability that could let anyone hack into any user account without the need of a password or interaction from the targeted users.
Mitron means “friends” in Hindi and it is not an Indian product.
The viral video social platform app TikTok, owned by China had to face outrage from everywhere due to its lack of data security and ethnopolitical reasons. This led to the emergence of new alternatives one of which is the Mitron app for Android.
Mitron video social platform recently was in the news when this Android app were installed by more than 5 million users and received a 5-star rating by 250,000 users in just 48 days after being released on the Google Play Store.
Mitron is not owned by any big company, and the app became a sensation overnight, taking advantage of the name as it is popular in India as a commonly used greeting by Prime Minister Narendra Modi.
Also, an initiative by the PM called ‘vocal for local’ to make India self-reliant has indirectly set up a portrait in the country to boycott Chinese services and products. All this led to the rise in the popularity of Mitron.

The insecurity in TikTok made more users to start using the Mitron app. However, the app contains a critical and easy-to-exploit software vulnerability that could allow anyone to bypass account authorization for any Mitron user within seconds.
It is usual for app developers to buy source code for cheap and work on their own customisations and improvements to quickly launch an app. But in this hurry to cash in on the negative sentiments against TikTok, the creator of Mitron, which is hoping to offer an alternative for the Chinese short video platform, seems to have missed out on making necessary changes to the source code of TikTok, a TikTok ripoff created by Pakistan-based coding company Qboxus. And now we claim that  it is risky to use the Mitron app in its present form.
This application contains a vulnerability which resides in the way app implemented ‘Login with Google’ feature, asking users’ permission to access their profile information via Google account while signing up but, in fact, doesn’t use it or create any secret tokens for authentication.
In simple words, a person can log into any targeted Mitron user profile if they just know their unique user ID, which is a piece of public information available in the page source, and without entering any password.
It was found that the Mitron app was not developed from scratch, but a ready-made app purchased from the Internet and rebranded.
On analyzing the app’s code for vulnerabilities, it is confirmed that Mitron is actually a re-packaged version of the TicTic app created by a Pakistani software development company Qboxus who is selling it as a ready-to-launch clone for TikTok, musical.ly or Dubsmash like services.
Irfan Sheikh, CEO of Qboxus, said in an interview that his company sells the source code, which could be customized by the buyers.
Irfan Sheikh of Qboxus from Lahore, the company that sold the source code to Shivank Agarwal - reportedly an IIT Roorkee student too told that “Mitron app has privacy issues because the app developer has not uploaded the privacy policy.” He said they do not encourage their buyers to just put it out there for public use as it as it is.
All attempts to contact Agarwal proved futile. The Mitron app now has over 5 million downloads with a 4.7 rating. Interestingly, the Qboxus website showcases Mitron as one of its best apps.
Besides Mitron’s owner, more than 250 other developers have also purchased the TicTic app code since last year, potentially running a service that can be hacked using the same vulnerability.
A few days back Sheikh has rubbished Mitron claims of being a “made-in-India" app. "We expect our customers to use our code and build something on their own," he said. But Milton's developer, Sheikh added, has taken the exact product - TicTic, changed the logo and uploaded it on their store. "There is no problem with what the developer has done. He paid for the script and use it, which is okay. But, the problem is with people referring to it as an Indian-made app, which is not true especially because they have not made any changes," Sheikh said.
According to Sheikh, Agarwal reached out to them to buy the source code of TicTic app and later launched it has Mitron in India. Agarwal purchased the code for $34, roughly Rs 2,500.
Even though the code was developed by the Pakistani company, the real identity of the person behind the Mitron app is not yet confirmed. There are some reports that it is owned by a former student of the Indian Institute of Technology (IIT Roorkee).
There is no issue in the source code coming from Pakistan, it should never have been used as it is. Given there are no changes to the algorithms there are chances that if Qboxus wants to sell the source code to a third party they can easily do that and then tap into the database of Mitron users.
The researcher tried to report the vulnerability to the app owner, but was unsuccessful as the email address provided on the Google Play Store is correct.
Also, the homepage for the web server (shopkiller.in), where the backend infrastructure of the app is hosted, is also blank.
The Mitron users are not recommended to install or use the untrusted application as it contains an unpatched flaw, the owner is unknown, has no privacy policy and terms of use.
According to Sheikh, Qboxus does push out updates to its apps, it is up to the developer to include it in his app or not. "We will push out updates to fix bugs in TikTok app and since Agarwal has bought the license, he will also receive the updated code notification in their email from the codecanyon. After that, it's up to him if he wants to push that update into Mitron or not. In short, once you purchase the license from codecanyon, the buyer receives the updates lifetime free of cost without paying additional money."
There could also be a possibility that the company might push out malicious code or malware in a future update giving them the direct control of the app. Any app that asks for access to phone's camera, microphone and location comes with a huge risk and provides access that can allow such apps to monitor users 24*7. "Not just Mitron, any app that asks for access to the camera, location and microphone is risky to use, including TikTok,"
Those users who have created an account in Mitron app and granted it access to your Google profile, must cancel it immediately.
It is not possible to delete your Mitron account, but hacking a Mitron user profile would not affect you unless you have atleast a few thousand followers on the platform.
All the users are advised to uninstall the app from your phones to ensure safety of data and sensitive information.


Comments

Post a Comment

Popular posts from this blog

HOW TO HACK WHATSAPP ACCOUNT BY SPOOFING MAC ADDRESS

Why we Spoof our MAC (Media Access Control)address with our victim's mac address??? This command will change your MAC Address with your victim MAC address. Whatsapp won't allow its users to use same account on two different Devices. if you do this without spoofing mac address whatsapp system will delete your first account. So we need spoof our MAC address with our victim address. Step 1: First of all we find the Mac Address of our victim phone.if you you want to hack your friend whatsapp then you can simply ask him about his device mac Address . now  Question is where Mac Address is located ?? Open your victim phone's Menu ----->About phone ---->Status Now scroll down where you see a 12-digits code under WiFi Mac Address like this: E5:16:D8:E6:69:96 copy it... Step 2: Now we Spoof our MAC Address with Victim's phone MAC Address. so how to do it?? Requirements: Rooted android phone. Busy-box app . Terminal app. install these app from y...
Read more

CovidLock- Coronavirus tracking app locks up Android phones for ransom

Image
If you are thinking of installing an app on your Android device from a third-party source to keep track of the coronavirus outbreak, think again. It has been discovered that CovidLock posing as a COVID-19 tracking app is a malicious ransomware Android app in disguise that is locking users out of their phones. A malicious Android app that supposedly helps track cases of the coronavirus actually locks users’ phones and demands a ransom in order to restore access. Dubbed CovidLock, the newly discovered ransomware performs a screen-lock attack by forcing a change in the password required to unlock a phone, explains DNS threat intelligence company.  For Android Nougat devices and later versions, the attack only works if the user never bothers to set a password in the first place. Victims are given a 48-hour deadline to pay a $100 ransom in bitcoin. To ratchet up the stakes, the ransomware program also threatens to erase one’s contacts, photos, videos and memory, as well ...
Read more