Indian tiktok clone app called Chingari has a serious security vulnerability which may lead to hijack any user account in Chingari easily.
However the Chingari app doesn’t collect any critical user information,but by this vulnerability any account in Chingari can hijacked and change their account details, comment, upload videos and much more. It is not a data breach of large amount of users but it may breach any targeted account.
This vulnerability is discovered by a cybersecurity researcher Girish Kumar.
Chingari app is available for iOS and Android platform. It allows any user to register account with GMail. Once the account is created, Chingari application does not use any token for user authentication and authorisation. It uses Encrypted/Hashed user ID in every request to retrieve user profile and data.
It’s very easy to get a victim’s user ID just by visiting the victim’s user account. Once a user ID is retrieved any user can replace the victim’s user ID in HTTP requests to gain access to the victim’s user account as shown in the video below.
Once a victim’s account is compromised using the method shown in video an attacker can change username, name, status, DOB, country, profile picture, upload/delete user videos etc. in short access to the entire account.
While posting a video user can disable video sharing and comment on video. That sharing and commenting restrictions can be bypassed easily just by changing the HTTP response code.
For example, {“share”: false, “comment”: false} can be changed to “true” in the response and it will allow restricted videos to be shared and commented on.
Chingari released a patch to fix this Vulnerability
Girish Kumar responsibly disclosed this vulnerability to makers of Chingari and company acknowledged the vulnerability.
Founder of Chingari confirmed that the patch for this vulnerability is updated with Chingari version 2.4.1 for Android and 2.2.6 for iOS.
If you are a Chingari app user, it is recommended to update your application as soon as possible.
For more related content follow us on Twitter, Telegram, Facebook.