‘Great Platform’: IT Minister Hails Repackaged & Unsafe Mitron App
By exploiting a vulnerability one can log into any targeted Mitron user profile just by knowing her unique user ID.
Mitron App, which has recently made headlines for being downloaded over 5 million times and hailed as India’s ‘desi’ answer to Tik Tok, has been found to be a repackaged version of a Pakistani app called TicTic.
The Quint had reported on 29 May how Mitron, bought for $34 from Code Canyon, even contained the same security vulnerability present on TicTic.
However, on the same day when Mitron was proven to have not been developed in India by a former IIT Roorkee student, Electronics & IT Minister Ravi Shankar Prasad praised the app as India’s answer to TikTok and Facebook.
“I just now congratulated Shivank Agarwal from Jhansi, IIT Roorkee computer engineer. He has created a great platform, Mitron, a reply to TikTok and Facebook.”Ravi Shankar Prasad, Electronics & IT Minister
Prasad was speaking online at the Prof NR Madhava Menon Memorial Lecture Series organised by the Akhil Bhartiya Adhivakta Parishad.
Adding that “50 lakh downloading has been done,” Prasad also went on to state “this great innovation has appeared in times of COVID – and that is a matter of great assurance.”
Launched on 11 April, the credit for developing the app was given to Shivank Agarwal, a student at IIT Roorkee. Mitron is a short video-making application that allows users to upload short videos of up to 15 seconds.
The app rode high on the anti-China and anti-Tik Tok sentiment and spurred by Prime Minister Narendra Modi’s “vocal for local” initiative, has managed over 50 lakh downloads.
Two Security Vulnerabilities Found
The Quint had reported that a flaw that is present in the app can allow a malicious actor to force other users to follow any given account, simply by tampering with a few parameters on the ‘follow user’ request.
A day later, it emerged that the app contains another crucial security vulnerability that “could let anyone bypass account authorization for any Mitron user within seconds”, according to The Hackernews.
Rahul Kankrale, a security researcher, discovered this security issue in the way Mitron app implemented 'Login with Google' feature.
By exploiting the vulnerability one can log into any targeted Mitron user profile just by knowing her unique user ID, which is a piece of public information available in the page source, and without entering any password.
Does this mean that the vulnerability has been carried over from the original TicTic source code?
“Yes, the vulnerability is present in TicTic and so has been carried out in Mitron,” Kankrale told The Quint. “As there is no authentication, so any requests could be manipulated,” he added.
The Quint has reached out to Mitron App for comments on the claims made by QBoxus along with details the publication has found. The story will be updated once Mitron responds.
QBoxus has, however, clarified to The Quint that there is no problem with what Mitron’s developer has done and no wrong in the procedure to launch the app. Its founder and CEO stated:
“Well, there is no problem with what the developer has done. He paid for it and got the script which is okay. But the problem is with people and Media referring to as Indian made app which is not the truth.”Irfan Sheikh, Founder & CEO, QBoxus
The Pakistani company has raised two specific issues:
- The real author of the app to be acknowledged and credited instead of attributing Shivank Agarwal as the creator of the app.
- The absence of any original modifications to the purchased code. “The worst thing is that the developer even didn't bother to fix bugs and issues in the app and directly uploaded it on Play Store, which is really a shame,” he added.
Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.