Chingari Application Authorization Issue (iOS and Android) - Complete User Account Takeover without Username and Password

 Chingari App (TikTok clone app) is made in India by Indian developers. I saw many posts over social media and many articles over Internet. All Indian people were sharing them like anything. After few days I read the news, one hacker claimed that Chingari Developer's website is compromised and has a malicious file uploaded. Later,  Chingari team clarified that their website has nothing to do with Chingari app and user data. They are using different servers for Chingari.

After that I realized that no one has published anything about Chingari app security issues. May be, no one tried to test. 

After that I thought to have a quick look at the app and see if I can find any security issues. I found many issues but the major one was Authorization issue. I was able to get into any Chingari user's account without any credentials. I decided to create two dummy accounts to create a PoC video and I did it.

After that I sent a DM over Twitter to Sumit Ghosh who is a Co-Founder of Chingari app and explained the issue. He asked me to share PoC and I shared it. They acknowledge the issue and started working on it. Within couple of days they fixed the issues after that I published my video. 

Chingari applications for iOS and Android allow any user with a Gmail account to register. Once a user account is created, Chingari application does not use any token for user authentication and authorization. It uses Encrypted/Hashed user ID in every request to retrieve user profile and data. It's very easy to get a victim's user ID just by visiting the victim's user account. Once a user ID is retrieved any user can replace victim's user ID in HTTP requests to gain access to the victim's user account as shown in the video.

Once a victim's account is compromised using the method shown in video an attacker can change username, name, status, DOB, country, profile picture, upload/delete user videos etc. in short access to the entire account.

While posting a video user can disable video sharing and comment on video. That sharing and commenting restrictions can be bypassed easily just by changing the HTTP response code. For example, {"share":false,"comment":false} can be changed to "true" in the response and it will allow restricted videos to be shared and commented on.

UPDATE: Youtube removed my video so I have uploaded same video on Vimeo.

Here is the video 

Powered by Blogger.