Chingari responds to being called ‘easily hackable’, shares app updates with security patch
An ethical hacker showed how easily Chingari could be hacked and anyone could get access and take over any user's account irrespective of the device and the OS.
Chingari, the TikTok clone that suddenly got very popular across the country thanks to TikTok getting banned by the Indian government, is allegedly really easy to hack. The app has a vulnerability that allows it to be easily exploited and anyone can hijack any user account on any smartphone and ‘tamper’ with user information, content and even upload videos.
This report comes courtesy The Hacker News (THN) that shared a video showing exactly how easily this could be done. New users can register an account on the Chingari app on both iOS and Android by granting the app a basic profile access to their Google accounts, the report states.
While many other apps also do this, Girish Kumar, a cybersecurity researcher at Encode Middle East firm in Dubai, told THN that Chingari uses a randomly generated user ID to fetch profile information of the user along with other data from the server without relying on a secret token for user authentication and authorisation.
Kumar shared a video that shows how easily the user ID can be retrieved and be replaced by a hacker in HTTP requests to gain access to account information. He also told THN that once the victim’s account is compromised, the attacker can change any and all information and also upload videos - essentially, the hacker gets full access to the account.
Besides this, Chingari also has another feature that allows users to turn off video sharing and comments and this can be bypassed by changing the HTTP response code allowing pretty much anyone to share and comment on restricted videos.
Kumar informed Chingari about these issues and the company has responded today with a security patch -
“There was a security issue in Chingari (V 2.4.0 and below). The issue was notified to us 24 hours ago has been addressed and patched already by the team. We have pushed updates both on Play Store & App Store with fixes. The old app may not work as we have shut down the vulnerable APIs. It is advisable to update the app to the latest version. Rest assured your sensitive data like email etc are not compromised. No user data was compromised due to this vulnerability,” the company said in a statement today.
Version 2.4.1 for Android and 2.2.6 for iOS comes with the security fix and if you are using Chingari we suggest you update your app immediately.