This article comes from the WeChat public account:ID:passagegroup , author: SURVEYING, original title is “clone TikTok bursts of Mitron, lived only 50 days”
On May 30th, Mitron, a short video of cloned TikTok, topped the list of free downloads in India and received 5 million downloads in just one month.
While Indian netizens are proud of this Indian-made app, the Indian media pointed out that Mitron is actually a code package that a developer bought from a Pakistani company for $34 (about Rs 2,500), not only without any “localization” Changes, reverting to the original code package inherited the security flaws.
On June 2, Zhixiang.com found that Mitron had been removed from the Google App Store for unknown reasons.
Responding to “voice for locals”
On May 12, Indian Prime Minister Modi called on the public to “speak for locals” in a national speech (vocal for local), Many Indian startups said they are targeting native apps on Facebook, TikTok, Zoom and WhatsApp.
Mirton, Bolo Indya, and Roposo are all recently popular “local” applications for benchmarking TikTok. Currently, Mitron is only online on the Google App Store, and has received more than 5 million downloads and 250,000 5-star ratings in a month, ranking first in the free download list. Bolo Indya is a short video application that focuses on infotainment. Roposo was launched earlier and went live on the Google and Apple App Stores. It is said to have over 50 million users, with ratings of 4.3 and 4.5 on the Google and Apple App Stores, respectively.
India’s recently popular “local” app for benchmarking TikTok
Obviously, Mitron is a clone product of TikTok. Its interface design, function partition and even video style are exactly the same as TikTok. Indian media joked that “except for bugs, everything is the same as TikTok”.
Despite the frequent occurrence of Mitron bugs, there are also many users in the app review area of the Google Store who complain that apps are difficult to use, but this does not prevent users from giving it a high rating of 4.7.
“You can steal all user information in a few seconds”
On May 30th, Rahul Kankrale, an Indian vulnerability research security officer, released a short video demonstrating Mitron’s security vulnerability. He pointed out that there is a “sign in with Google” function when registering Mitron, and users can authorize to use Google account to log in to Mitron, but the developer did not set the token key when using authorization (secret token) is used for identity verification, resulting in that hackers can log in to any user’s profile only by passing the public user ID without entering a password.
Rahul Kankrale demonstrates Mitron’s vulnerability
In other words, this feature allows application developers to access users’ Google account information and steal all user information.
Another security loophole is that hackers can “send fans” to users and tamper with some parameters of the “follow users” function to make the account follow some designated accounts.
When reviewing Mitron’s vulnerability code, Rahul found that Mitron’s code package actually came from Pakistan software development company Qboxus, which is the companyA repackaged version of the developed application TicTic.
TicTic was developed by Qboxus after imitating TikTok and Musical.ly and sold to other developers. According to media reports, in addition to Mitron, more than 250 developers have purchased TicTic code. Experts explained that, given the same source code, other developers who purchase the same source code can use this vulnerability to invade Mitron’s user database.
Qboxus official website Tic Tic introduction information
Irfan Sheikh, CEO of Qboxus, said, “The Mitron application has privacy issues because the developer of the application has not uploaded the privacy policy. The company sells the source code, but we hope that the purchaser can do it based on the source code Development. Mitron paid to buy the source code, which is understandable, but they did not change the source code on the Google App Store. “He said that developers are not encouraged to directly put the application on the shelf for public use.
Counterpoint cybersecurity researcher Satyajit Sinha also said, “The use of the Mitron application is risky because it does not have any other firewalls on top of the source code, and the privacy policy is weak. In the long run, user data may be at risk.”
Indian or Pakistani?
Although the code was developed by a Pakistani company, it has not confirmed the true identity of the person who listed Mitron. In public reports, the developer is Shivank Agarwal, a student of Indian Institute of Technology (IIT Roorkee), but the news has not been confirmed by me.
India’s Minister of Electronics and IT Ravi Shankar Prasad said on social media, “Congratulations to Shivank Agarwal, a computer engineer at IIT Roorkee, who created a great platform Mitron to deal with TikTok and Facebook.”
Zixiang.com sent an email to Mitron’s developer mailbox reserved in the Google App Store, but the email address was invalid. Rahul also said that he tried to inform Mitron developers that the application has vulnerabilities, but he could not contact the developer via email.
In addition, the homepage of shopkiller.in, the web server hosting the Mitron backend infrastructure, is also blank. But what is interesting is that the Pakistan company Qboxus website lists Mitron as one of the best applications developed.
Qboxus website lists Mitron as one of the best applications developed
However, this controversy has come to an end, because Mitron was removed from Google on June 2, and the future is uncertain.
This article comes from the WeChat public account: Zhixiang (ID: passagegroup), author: SURVEYING