Mitron app — the popular Indian alternative for TikTok, has been removed from Google Play store. The app had over 5 million downloads. Mitron app, an alternative to TikTok that quickly gathered a lot of attention and gained popularity of its Indian ‘origin’, as noted in many of the reviews of the app. However, it was discovered that Mitron app was reported to be a re-brand version of a Pakistani app TicTic. Now, it has been pulled from the Google Play store for violating its ‘spam and minimum functionality’ policy.
The viral app contains a highly critical, unpatched vulnerability that could allow anyone to hack into any user account without requiring interaction from the targeted users or their passwords. Mitron app contains a critical and easy-to-exploit software vulnerability that could let anyone bypass account authorization for any Mitron user within seconds.
The real security issue resides in the way app implemented ‘Login with Google’ feature, which asks users’ permission to access their profile via Google account but doesn’t use it. So, one can log into any targeted Mitron user profile just by knowing the unique user ID, which is available in the page source, without entering any password.
Apparently, Mitron was not actually created any IIT student as such, but by some shady company dubbed as ShopKiller. The latter bought the app source code understood to be of TicTic app from a Pakistani company Qboxus for a meager $34 (around Rs 2,570) on the CodeCanyon platform
The important fact was that the Mitron app is really the same as TicTic, down to its source code, and actually the main reason behind the loopholes that why it should never have made its way through Google’s supposedly stern security checks.