Any Mitron (Viral TikTok Clone) Profile Can Be Hacked in Seconds

Mitron (means “friends” in Hindi), you have been fooled again!

Mitron is not really a ‘Made in India’ product, and the viral app contains a highly critical, unpatched vulnerability that could allow anyone to hack into any user account without requiring interaction from the targeted users or their passwords.

I am sure many of you already know what TikTok is, and those still unaware, it’s a highly popular video social platform where people upload short videos of themselves doing things like lip-syncing and dancing.

The wrath faced by Chinese-owned TikTok from all directions—mostly due to data security and ethnopolitical reasons—gave birth to new alternatives in the market, one of which is the Mitron app for Android.

Mitron video social platform recently caught headlines when the Android app crazily gained over 5 million installations and 250,000 5-star ratings in just 48 days after being released on the Google Play Store.

Popped out of nowhere, Mitron is not owned by any big company, but the app went viral overnight, capitalizing on its name that is popular in India as a commonly used greeting by Prime Minister Narendra Modi.

Besides this, PM Modi’s latest ‘vocal for local’ initiative to make India self-reliant has indirectly set up a narrative in the country to boycott Chinese services and products, and of course, #tiktokban and #IndiansAgainstTikTok hashtags trending due to TikTok vs. YouTube battle and CarryMinati roast video also rapidly increased the popularity of Mitron.

Any Mitron Users Account Can Be Hacked in Seconds

The insecurity that TikTok is a Chinese app and might have allegedly been abusing its users’ data for surveillance, unfortunately, turned millions into signing up for less trusted and insecure alternative blindly.

The Hacker News learned that the Mitron app contains a critical and easy-to-exploit software vulnerability that could let anyone bypass account authorization for any Mitron user within seconds.

The security issue discovered by Indian vulnerability researcher Rahul Kankrale resides in the way app implemented ‘Login with Google’ feature, which asks users’ permission to access their profile information via Google account while signing up but, ironically, doesn’t use it or create any secret tokens for authentication.

In other words, one can log into any targeted Mitron user profile just by knowing his or her unique user ID, which is a piece of public information available in the page source, and without entering any password—as shown in a video demonstration Rahul.

TheHackerNews post :- https://thehackernews.com/2020/05/titok-mitron-app-hacking.html

4 Likes

The clone app source code was brought by mitron founders from a Pakistani on codecanyon for $34

1 Like

Which software are you using?