Exclusive – Any Mitron (Viral TikTok Clone) Profile Can Be Hacked in Seconds

Mitron is not really a ‘Made in India’ product, and the viral
app contains a highly critical, unpatched vulnerability that could
allow anyone to hack into any user account without requiring
interaction from the targeted users or their passwords.

I am sure many of you already know what TikTok is, and those
still unaware, it’s a highly popular video social platform where
people upload short videos of themselves doing things like
lip-syncing and dancing.

The wrath faced by Chinese-owned TikTok from all
directions—mostly due to data security and ethnopolitical
reasons—gave birth to new alternatives in the market, one of which
is the Mitron app for Android.

Mitron video
social platform recently caught headlines when the Android app
crazily gained over 5 million installations and 250,000 5-star
ratings in just 48 days after being released on the Google Play
Store.
^[1]

Popped out of nowhere, Mitron is not owned by any big company, but
the app went viral overnight, capitalizing on its name that is
popular in India as a commonly used greeting by Prime
Minister^[2] Narendra Modi.

Besides this, PM Modi’s latest ‘vocal for
local^[3]‘ initiative to make
India self-reliant has indirectly set up a narrative in the country
to boycott Chinese services and products, and of course, #tiktokban
and #IndiansAgainstTikTok hashtags trending due to TikTok vs.
YouTube^[4] battle and CarryMinati
roast video also rapidly increased the popularity of Mitron.

Any Mitron Users Account Can Be Hacked in Seconds

The insecurity that TikTok is a Chinese app and might have
allegedly been abusing its users’ data for surveillance,
unfortunately, turned millions into signing up for less trusted and
insecure alternative blindly.

The Hacker News learned that the Mitron app contains a critical
and easy-to-exploit software vulnerability that could let anyone
bypass account authorization for any Mitron user within
seconds.

The security issue discovered by Indian vulnerability researcher
Rahul
Kankrale^[5] resides in the way app
implemented ‘Login with Google’ feature, which asks users’
permission to access their profile information via Google account
while signing up but, ironically, doesn’t use it or create any
secret tokens for authentication.

In other words, one can log into any targeted Mitron user profile
just by knowing his or her unique user ID, which is a piece of
public information available in the page source, and without
entering any password—as shown in a video demonstration Rahul
shared with The Hacker News.

Mitron App Was Not Developed; Instead Bought For Just $34

Promoted as a homegrown competitor to TikTok, in separate news, it
turns out that the Mitron app has not been developed from scratch;
instead, someone purchased a ready-made app from the Internet, and
simply rebranded it.

While reviewing the app’s code for vulnerabilities, Rahul found
that Mitron is actually a re-packaged version of the TicTic app created
by a Pakistani software development company Qboxus who is
selling it as a ready-to-launch clone for TikTok, musical.ly or
Dubsmash like services.
^[6]

In an interview with the media, Irfan Sheikh, CEO of Qboxus, said
his company sells the source code, which the buyers are expected to
customize.

“There is no problem with what the developer has done. He paid
for the script and used it, which is okay. But, the problem is with
people referring to it as an Indian-made app, which is not true,
especially because they have not made any changes,” Irfan said.

Besides Mitron’s owner, more than 250 other developers have also
purchased the TicTic app code since last year, potentially running
a service that can be hacked using the same vulnerability.

Who is Behind the Mitron App? An Indian or a Pakistani?

Though the code has been developed by the Pakistani company, real
identity of the person behind the Mitron app—TicTic at heart TikTok
by face—has yet not been confirmed; however, some reports suggest
it’s owned by a former student of the Indian Institute of
Technology (IIT Roorkee).

Rahul told The Hacker News that he tried responsibly reporting
the flaw to the app owner but failed as the email address mentioned
on the Google Play Store, the only point of available contact, is
non-operational.

Besides this, the homepage for the web server (shopkiller.in),
where the backend infrastructure of the app is hosted, is also
blank.

Considering that the flaw actually resides in the TicTic app
code and affects any other similar cloned service running out
there, The Hacker News has reached out to Qboxus and disclosed
details of the flaw before publishing this story.

We will update this article when we receive a response.

Is Mitron App Safe to Use?

In short, since:

• the vulnerability has not yet been patched,
• the owner of the app is unknown,
• the privacy policy of the service doesn’t exist, and
• there are no terms of use,

… it’s highly recommended to simply do not install or use the
untrusted application.

If you’re among those 5 million who have already created a
profile with the Mitron app and granted it access to your Google
profile, revoke it immediately^[7].

Unfortunately, there’s no way you can delete your Mitron account
yourself, but the hacking of Mitron user profile would not severely
impact unless you have at least a few thousand followers on the
platform.

However, keeping an untrusted app installed on your smartphone
is not a good idea and could put your data from other apps and
sensitive information stored on it at risk, so users are advised to
uninstall the app for good.