Mitron App Account Takeover Susceptibility: Unearthed

The popularity of the Mitron app has been phenomenal as more than 5 million users downloaded it in their Smartphones since it got launched. The experts believe that is India’s reply to the popular Chinese app Tiktok. However, the app development professionals believe that Mitron App has some vulnerabilities that need to be fixed before it reaches further users. Recently, Google has also removed the app from the Play Store. However, this event is coincidental as Google has also removed the ‘Remove China Apps’ App from the Play Store.

The experts have listed a few security threats that every user must know. They have come up with a few steps to reproduce the same as well. Have a look at the following steps:

• Open the app and log in to your customer account using the unique username and password. You can then intercept requests using a proxy like BURP. The experts advise you to do this without bypassing SSL pinning.
• Get the user id of the victims, which is fb_id from any video. You can even create another user account for testing. You just need to note the fb_id parameter value.
• You can now take over the victim’s account, logout from your account, and go to the profile tab and activate ‘Intercept Request’ On. You can use the burp’s proxy tab for this action.
• You can now click on Google symbol in Popup. Here, you can see the flowing request in the Burp suite:
  POST /API/index.php?p=signup HTTP/1.1 Content-Type: application/json; charset=utf-8 User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.0; Redmi Note 4 MIUI/V11.0.2.0.NCFMIXM) Host: shopkiller.in Connection: close Accept-Encoding: gzip, deflate Content-Length: 165 {"fb_id":"10638393290252645721","first_name":"Rahul","last_name":"rk","profile_pic":"null","gender":"m","version":"1.2.10","signup_type":"gmail","device":"android"}
• You would need to edit the value of fb_id parameters to the victim’s fb_id and forward the request. Here, you can see the app gets logged in as the victim. Now, you could follow any user on behalf of the victim, like any video on behalf of the victim and change profile picture, etc.

The cyber security specialist at ISOEH agrees that reproduction is easy by following the steps mentioned above. He is of the view that it happens mostly because of the fact that the Mitron app has no authentication mechanism anywhere in the codes.