Home>Blog>The Hacker News Headlines>Exclusive: Any Chingari App (Indian TikTok Clone) Account Can Be Hacked Easily
The Hacker News Headlines

Exclusive: Any Chingari App (Indian TikTok Clone) Account Can Be Hacked Easily

hacking any chingari app accounthacking any chingari app account

Following vulnerability disclosure in the Mitron
app[1], another viral TikTok
clone in India has now been found vulnerable to a critical but
easy-to-exploit authentication bypass vulnerability, allowing
anyone to hijack any user account and tamper with their
information, content, and even upload unauthorized videos.

The Indian video sharing app, called Chingari, is available for
Android and iOS smartphones through official app stores, designed
to let users record short-form videos, catch up on the news, and
connect with other users via a direct message feature.

Originally launched in November 2018, Chingari has witnessed a
huge surge in popularity over the past few days in the wake of
India’s ban on Chinese-owned apps late last month, crossing 10 million
downloads on the Google Play Store in under a month.
[2]

The Indian government recently banned 59 apps and
services[3], including ByteDance’s
TikTok, Alibaba Group’s UC Browser and UC News, and Tencent’s
WeChat over privacy and security concerns.

While these apps have been delisted from Apple and Google’s app
stores, several home-grown alternatives, such as InMobi Group’s
Roposo, Chingari, and Mitron, have ramped up their
efforts[4] to cash in on the void
left by TikTok.

Any Chingari User Account Can Be Hijacked in Seconds

Chingari app for iOS and Android asks users to register an account
by granting basic profile access to their Google account, which is
a standard part of OAuth-based authentication.

However, according to Girish Kumar[5], a cybersecurity
researcher at Encode Middle East firm in Dubai, Chingari uses a
randomly generated user ID to fetch respective profile information
and other data from its server without relying on any secret token
for user authentication and authorization.

As demonstrated in the video Kumar shared with The Hacker News, not
only can this user ID be easily retrieved, it can be used by an
attacker to replace a victim’s user ID in HTTP requests to gain
access to the account information.

“The attack doesn’t require any interaction from the targeted
users and can be performed against any profile to change their
account settings or upload content of the attacker’s choice,” Kumar
told The Hacker News in an email interview.

As The Hacker News revealed back in May, Mitron suffered
from exactly the same flaw, allowing anyone with access to the
unique user ID to login to the account without entering any
password.
[6]

“Once a victim’s account is compromised using the method shown in
video an attacker can change username, name, status, DOB, country,
profile picture, upload/delete user videos etc. in short access to
the entire account,” Kumar said.

That’s not all. A separate feature in Chingari that allows users
to turn off video sharing and comments can be simply bypassed by
tweaking the HTTP response code ({“share”:false,”comment”:false}),
thus making it possible for a malicious party to share and comment
on restricted videos.

Chingari Patch Update To Be Released Today

Kumar responsible disclose the issue to the makers of Chingari
earlier this week, and the company in response acknowledged the
vulnerability.

The Hacker News also reached out to Sumit Ghosh, founder of
Chingari, who confirmed the publication that the issue will be
patched with Chingari version 2.4.1 for Android and 2.2.6 for iOS,
expected to be rolled out to millions of its users via Google Play
Store and Apple app store starting today.

If you are a Chingari user, it’s highly recommended that you
update the app as soon as the latest version is available to avoid
potential misuse.

In a separate incident, a french
researcher[7] earlier this month
spotted that the website of Globussoft, the company behind
Chingari, had also been compromised to host malware scripts,
redirecting its users to malicious pages.

Such an unfortunate state of security highlights that embracing
indigenous apps for the sake of nationalism is one thing, but apps,
especially for non-tech-savvy users, must be tested rigorously
while keeping privacy and security in mind.

References

  1. ^
    Mitron app
    (thehackernews.com)
  2. ^
    10 million downloads
    (www.appbrain.com)
  3. ^
    banned 59 apps and services
    (pib.gov.in)
  4. ^
    ramped up their efforts
    (in.reuters.com)
  5. ^
    Girish Kumar
    (twitter.com)
  6. ^
    Mitron suffered from exactly the same
    flaw     (thehackernews.com)
  7. ^
    french researcher
    (twitter.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.