Launched in November 2019, the social media platform Koo is an Indian alternative to Twitter with some 6 million active users.
The bug involves a stored cross-site scripting flaw (persistent XSS) in Koo’s web app. It allows an attacker to inject malicious scripts into the targeted web application.
To carry out the attack, an attacker simply logged into the service and posted an XSS-encoded payload on its timeline. The script is executed on behalf of any user who saw the post.
The flaw in Koo’s Android app, which is also known as XSS worm, was discovered by security researcher Rahul Kankrale. Koo rolled out a fix on July 3 following a private disclosure.
The researcher says cross-site scripting allows an attacker to perform actions on behalf of a user, without the user’s consent. It can also steal sensitive information such as web browser’s authentication cookies and other secrets.
The flaw in Koo can cause a website to silently infect other website visitors without requiring any interaction by automatically propagating malicious code.
The latest update also addressed another critical flaw in the Koo app, discovered by security researcher Prasoon Gupta, that could have allowed remote attackers to access any user account without requiring a password or user interaction.