Mitron, a video-making app, has been gaining immense popularity among the Indians as a rival of popular video app TikTok. The app has already crossed over 5 million downloads on the Google Play Store with an average rating of 4.7 stars. However, it has come to light that the app has a major security vulnerability that lets threat actors exploit users’ accounts by easily bypassing account authorization.
As first brought to light by the Hacker News, cybersecurity researcher, Rahul Kankrale, revealed that this security flaw lies in the app’s ‘Login with Google’ feature. This feature requires user’s permission to access their profile information via Google account when they’re signing up. However, it doesn’t make use of any secret tokens required for authentication of the user. So, an attacker simply needs to know the victim’s unique user ID and they’ll be able to access the account without requiring any password.
Add to this the fact that Mitron is not made by Indian developers instead it was bought from a Pakistani software development company, Qboxus, for $34 i.e. Rs 2,600. Mitron app’s entire source code was bought from Qboxus along with its features and the user interface, after which it was rebranded as ‘Mitron’ in India. In fact, Mitron developers have taken the exact product from Qboxus and have not changed anything in the interface.
As a precautionary measure, users are advised to uninstall the app as it can put your account and data to risk.