by Another Indian TikTok Clone Chingari App can be easily hacked without takeover on Username and Password. Chingari app has found vulnerable to a critical but easy-to-exploit authentication. This allows anyone to hack any user Chingari account and harm their information, content and the videos which are uploaded.
Any Chingari App Account Can Be Hacked
Chingari app is an Indian video sharing app which is available for Android and iOS. It allows the users to record short videos and catch up on the news and connect with other users through a DM (direct message) feature.
The app was initially launched in November 2018, and the app has become so popular in the past few days. As just a week ago, India has banned 59 Chinese owned apps like TikTok. The apps which are banned are TikTok, UC Browser and UC News due to privacy and security concerns.
As such Chinese apps are deleted, few of the alternatives of these apps have become popular.
Any Chingari User Account Can Be Hacked Within Seconds!
When the user downloads the Chingari app for Android and iOS, it asks the user to register an account. The user needs to enter basic profile details to Google accounts.
According to the Girish Kumar, a cybersecurity researcher in Dubai says the Chingari app uses randomly generated user ID to get the profile information and other data from the server without taking any token for user authentication.
Girish Kumar shared a video.
https://www.youtube.com/watch?time_continue=408&v=GuGCfGSNmMQ&feature=emb_title
The video says, not only the user ID can be recovered, but it can also be used by the attacker to replace the victim’s users ID in HTTP requests to get all the account information.
In an email interview, Kumar said to The Hacker News,
“The attack doesn’t require any interaction from the targeted users and can be performed against any profile to change their account settings or upload content of the attacker’s choice.”
Earlier in May, the same flaw appeared in Mitron app also which allowed anyone to access to unique user ID to login to the account without any password.
Kumar said,
“Once a victim’s account is compromised using the method shown in video an attacker can change username, name, status, DOB, country, profile picture, upload/delete user videos etc. in short access to the entire account.”
Not only this, but there is also a separate feature in the app, which allows the users to turn off video sharing and comments. The user can do it simply bypassed by tweaking the HTTP response code.
({“share”:false,”comment”:false}), which makes it possible for hackers to share and comment on the restricted videos.
If you are a Chingari user, then we recommend you to update the app to the latest version.
