Mitron which is a viral app contains a highly critical, unpatched vulnerability that could let anyone hack into any user account without the need of a password or interaction from the targeted users.
Mitron means “friends” in Hindi and it is not an Indian product.
The viral video social platform app TikTok, owned by China had to face outrage from everywhere due to its lack of data security and ethnopolitical reasons. This led to the emergence of new alternatives one of which is the Mitron app for Android.
Mitron video social platform recently was in the news when this Android app were installed by more than 5 million users and received a 5-star rating by 250,000 users in just 48 days after being released on the Google Play Store.
Mitron is not owned by any big company, and the app became a sensation overnight, taking advantage of the name as it is popular in India as a commonly used greeting by Prime Minister Narendra Modi.
Also, an initiative by the PM called ‘vocal for local’ to make India self-reliant has indirectly set up a portrait in the country to boycott Chinese services and products. All this led to the rise in the popularity of Mitron.
The insecurity in TikTok made more users to start using the Mitron app. However, the app contains a critical and easy-to-exploit software vulnerability that could allow anyone to bypass account authorization for any Mitron user within seconds.
Indian vulnerability researcher Rahul Kankrale spotted this vulnerability which resides in the way app implemented ‘Login with Google’ feature, asking users’ permission to access their profile information via Google account while signing up but, in fact, doesn’t use it or create any secret tokens for authentication.
In simple words, a person can log into any targeted Mitron user profile if they just know their unique user ID, which is a piece of public information available in the page source, and without entering any password.
It was found that the Mitron app was not developed from scratch, but a ready-made app purchased from the Internet and rebranded.
On analyzing the app’s code for vulnerabilities, Rahul found that Mitron is actually a re-packaged version of the TicTic app created by a Pakistani software development company Qboxus who is selling it as a ready-to-launch clone for TikTok, musical.ly or Dubsmash like services.
Irfan Sheikh, CEO of Qboxus, said in an interview that his company sells the source code, which could be customized by the buyers.
Besides Mitron’s owner, more than 250 other developers have also purchased the TicTic app code since last year, potentially running a service that can be hacked using the same vulnerability.
Even though the code was developed by the Pakistani company, the real identity of the person behind the Mitron app is not yet confirmed. There are some reports that it is owned by a former student of the Indian Institute of Technology (IIT Roorkee).
The researcher tried to report the vulnerability to the app owner, but was unsuccessful as the email address provided on the Google Play Store is correct.
Also, the homepage for the web server (shopkiller.in), where the backend infrastructure of the app is hosted, is also blank.
Those users who have created an account in Mitron app and granted it access to your Google profile, must cancel it immediately.
It is not possible to delete your Mitron account, but hacking a Mitron user profile would not affect you unless you have atleast a few thousand followers on the platform.
All the users are advised to uninstall the app from your phones to ensure safety of data and sensitive information.