Post

Mitron App Account Takeover vulnerability

Posted
By Rahul Kankrale
1 min read

Summary: Mitron app which recently brought attention because of in less time 5 Million downloads and competitors to TikTok,
But this app is designed with no security at all, lets come to the proof of concept

Step to reproduce:

  • Opens app and login to your account and intercept request using proxy like BURP (Yes you can without bypass ssl pinning as no https used
  • Get victims user id which is fb_id from any video or for testing you can create another account and note fb_id parameters value
  • Now to takeover victims account, logout your account and and goto to profile tab and make “intercept request on” in burp’s proxy tab.

  • Click on google symbol in popup and In burp suite you can see following request:

  • Edit fb_id param value to victims fb_id and forward request and you can see app gets logged in as victim, now you could follow any user on behalf of victim, like any video behalf of victim and change profile pic etc.

Very easy to reproduce right ) as no authentication mechanism at all.

Video:

Note: Already tried to contact developer but they are not reachable (email bounced)

Mobile, Web
android-vulnerability mitron
This post is licensed under CC BY 4.0 by the author.