<div style="margin:20px 0 0 200px"> To view the site, enable JavaScript by changing your browser options, then <a href="">Try Again</a>.</div>

Mitron App Account Takeover Susceptibility: Unearthed

13 Jul, 2020
Mitron App Account Takeover Susceptibility: Unearthed

The popularity of the Mitron app has been phenomenal as more than 5 million users downloaded it in their Smartphones since it got launched. The experts believe that is India’s reply to the popular Chinese app Tiktok. However, the app development professionals believe that Mitron App has some vulnerabilities that need to be fixed before it reaches further users. Recently, Google has also removed the app from the Play Store. However, this event is coincidental as Google has also removed the ‘Remove China Apps’ App from the Play Store.

The experts have listed a few security threats that every user must know. They have come up with a few steps to reproduce the same as well. Have a look at the following steps:

  • Open the app and log in to your customer account using the unique username and password. You can then intercept requests using a proxy like BURP. The experts advise you to do this without bypassing SSL pinning.
  • Get the user id of the victims, which is fb_id from any video. You can even create another user account for testing. You just need to note the fb_id parameter value.
  • You can now take over the victim’s account, logout from your account, and go to the profile tab and activate ‘Intercept Request’ On. You can use the burp’s proxy tab for this action.
  • You can now click on Google symbol in Popup. Here, you can see the flowing request in the Burp suite:
    POST /API/index.php?p=signup HTTP/1.1 Content-Type: application/json; charset=utf-8 User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.0; Redmi Note 4 MIUI/V11.0.2.0.NCFMIXM) Host: shopkiller.in Connection: close Accept-Encoding: gzip, deflate Content-Length: 165 {"fb_id":"10638393290252645721","first_name":"Rahul","last_name":"rk","profile_pic":"null","gender":"m","version":"1.2.10","signup_type":"gmail","device":"android"}
  • You would need to edit the value of fb_id parameters to the victim’s fb_id and forward the request. Here, you can see the app gets logged in as the victim. Now, you could follow any user on behalf of the victim, like any video on behalf of the victim and change profile picture, etc.

The cyber security specialist at ISOEH agrees that reproduction is easy by following the steps mentioned above. He is of the view that it happens mostly because of the fact that the Mitron app has no authentication mechanism anywhere in the codes.

Read Other Breaking News

Read All Breaking News »

Exclusive Blog

Read All Exclusive Blog »
A few tips for the perfect homework
A few tips for the perfect homework

With world working from home, it's time to make it enjoyable and effective.

Read Details

Hacking Tools

Explore All Hacking Tools »
UFTP - UDP based FTP with encryption
UDP based FTP with encryption

UFTP is an encrypted multicast file transfer program for secure, reliable & efficient transfer of files. It also helps in data distribution over a satellite link.

Read Details