Mitron app already has over 50 lakh downloads on Google Play
Mitron app allegedly allows attackers to take over user accounts
It uses unique user IDs to enable login
Mitron app developer is yet to fix the reported vulnerability
Mitron app, which was launched as an alternative to TikTok and has gained notable popularity in a short time, allegedly has a vulnerability that could allow an attacker to compromise user accounts and send messages on behalf of a specific user. The flaw doesn't allow any bad actor to steal personal information such as the email ID that a user has used to sign up an account on the Mitron app. However, it can be exploited to gain access to the profile of the affected user. The Mitron app is so far exclusive to Android and has reached over 50 lakh downloads on Google Play.
By exploiting the vulnerability of the Mitron app, an attacker could send messages to other users and even follow other people or comment on behalf of the victim, cyber-security researcher Rahul Kankrale told Gadgets 360. He said the issue exists within the login process of the app that allows bad actors to intercept and gain the unique user ID of the victim that can be used to log in to their accounts — without requiring any passwords or an additional verification.
Kankrale also mentioned that the developer of the Mitron app isn't using the Secure Sockets Layer (SSL) protocol to secure the login. Although the app does allow users to login with their existing Google accounts, it processes the login through the unique user ID instead of using the provided Google account, he added.
Gadgets 360 doesn't recommend anyone to install and use the app that doesn't have any clarity about its makers and has at least one major vulnerability that is yet to be fixed.
Is Realme TV the best TV under Rs. 15,000 in India? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.
Jagmeet Singh writes about consumer technology for Gadgets 360, out of New Delhi. Jagmeet is a principal correspondent for Gadgets 360, and has frequently written about apps, computer security, Internet services, and telecom developments. Jagmeet is available on Twitter at @JagmeetS13 or Email at firstname.lastname@example.org. Please send in your leads and tips.