A security flaw has been found in Indian short-video app, Chingari, which has garnered millions of downloads following the Indian government’s ban of TikTok and 58 other Chinese apps. Girish Kumar, who works at cybersecurity firm Encode, demonstrated the vulnerability via a video on YouTube, showing how attackers could take over user accounts by exploiting it.
Kumar told HackerNews, which first reported the vulnerability, that targeted users did not need to be involved in order for the hack to work. Attackers could use the vulnerability to gain access to their accounts and change their account settings or even upload content on their behalf.
The company acknowledged the flaw and said it has addressed and patched the same in the 24 hours since it was notified about it. The flaw was in version 2.4.0 and below of the app, according to the company’s statement. “We have pushed updates on both Play Store and App Store with fixes,” the company said. The updates are still pending for approval by Google and Apple.
The company also said that the affected versions may stop working since the company has shut down the application programming interfaces (APIs) associated with them. “It is advisable to update the app to the latest version. Rest assured that your sensitive data like email etc. are not compromised. No user data was compromised due to this vulnerability,” the statement said.
Chingari is amongst the many Indian apps that have benefitted from the ban on TikTok and accompanying Chinese apps by the Indian government. The company has amassed over 19 million downloads in under two weeks. Its founder, Sumit Ghosh, had earlier told Mint that the company is enroute to raising funds right now.
Another Indian clone of TikTok, Mitron, has also been found to be vulnerable recently. Like Chingari, that vulnerability also allowed attackers to log in to a user’s account without their intervention.