Mitron App Account Takeover vulnerability

Summary : Mitron app which recently brought attention because of in less time 5 Million downloads and competitors to TikTok,
But this app is designed with no security at all, lets come to the proof of concept

Step to reproduce:

• 1 . Opens app and login to your account and intercept request using proxy like BURP (Yes you can without bypass ssl pinning as no https used )
• 2. Get victims user id which is fb_id from any video or for testing you can create another account and note fb_id parameters value )
• Now to takeover victims account, logout your account and and goto to profile tab and make “intercept request on” in burp’s proxy tab.
• Click on google symbol in popup and In burp suite you can see following request : 

• Edit fb_id param value to victims fb_id and forward request and you can see app gets logged in as victim , now you could follow any user on behalf of victim, like any video behalf of victim and change profile pic etc.

Very easy to reproduce right ) as no authentication mechanism at all.

Video :

Note: Already tried to contact developer but they are not reachable (email bounced)