Chingari App Hack (iOS and Android) - Complete User Account Takeover without Username and Password
Chingari applications for iOS and Android allow any user with a Gmail account to register. Once a user account is created, Chingari application does not use any token for user authentication and authorization. It uses Encrypted/Hashed user ID in every request to retrieve user profile and data. It's very easy to get a victim's user ID just by visiting the victim's user account. Once a user ID is retrieved any user can replace victim's user ID in HTTP requests to gain access to the victim's user account as shown in the video.
Once a victim's account is compromised using the method shown in video an attacker can change username, name, status, DOB, country, profile picture, upload/delete user videos etc. in short access to the entire account.
While posting a video user can disable video sharing and comment on video. That sharing and commenting restrictions can be bypassed easily just by changing the HTTP response code. For example, {"share":false,"comment":false} can be changed to "true" in the response and it will allow restricted videos to be shared and commented on.
Problem ❌: Chingari uses a randomly generated user ID to fetch respective profile information and other data from its server without relying on any secret token for user authentication and authorization.
Solution ✅: Make sure you have installed latest update of Chingari!
This security issue has been fixed in Chingari version 2.4.1 for Android and 2.2.6 for iOS.
This is purely educational content - all practical work is done in environments that allow and encourage offensive security training.
#SecurityFreaks
![](https://i.ytimg.com/vi/fqDZbWj8XZM/mqdefault.jpg)