Summary : Mitron app which recently brought attention because of in less time 5 Million downloads and competitors to TikTok,
But this app is designed with no security at all, lets come to the proof of concept
Step to reproduce:
- 1 . Opens app and login to your account and intercept request using proxy like BURP (Yes you can without bypass ssl pinning as no https used )
- 2. Get victims user id which is fb_id from any video or for testing you can create another account and note fb_id parameters value )
- Now to takeover victims account, logout your account and and goto to profile tab and make “intercept request on” in burp’s proxy tab.
- Click on google symbol in popup and In burp suite you can see following request :
- Edit fb_id param value to victims fb_id and forward request and you can see app gets logged in as victim , now you could follow any user on behalf of victim, like any video behalf of victim and change profile pic etc.
Very easy to reproduce right ) as no authentication mechanism at all.
Video :
Note: Already tried to contact developer but they are not reachable (email bounced)
One Reply to “Mitron App Account Takeover vulnerability”
Comments are closed.