Critical Vulnerabilities Found In Indian Twitter Alternative Koo

Critical Vulnerabilities Found In Indian Twitter Alternative Koo

India’s Twitter-like app with millions of users, Koo, is subject to a serious security flaw that could allow an attacker to execute arbitrary JavaScript code.

Launched in November 2019, the social media platform Koo is an Indian alternative to Twitter with some 6 million active users.

The bug involves a stored cross-site scripting flaw (persistent XSS) in Koo’s web app. It allows an attacker to inject malicious scripts into the targeted web application.

To carry out the attack, an attacker simply logged into the service and posted an XSS-encoded payload on its timeline. The script is executed on behalf of any user who saw the post.

The flaw in Koo’s Android app, which is also known as XSS worm, was discovered by security researcher Rahul Kankrale. Koo rolled out a fix on July 3 following a private disclosure.

The researcher says cross-site scripting allows an attacker to perform actions on behalf of a user, without the user’s consent. It can also steal sensitive information such as web browser’s authentication cookies and other secrets.

Due to the nature of JavaScript, it can expose any sensitive information that the compromised user account can access. This could also allow adversaries to read private messages, spread spam, or spread misinformation.

The flaw in Koo can cause a website to silently infect other website visitors without requiring any interaction by automatically propagating malicious code.

One more XSS vulnerability related to the hashtag feature was also disclosed and patched in the most recent app update. It allowed an attacker to execute arbitrary JavaScript code when the user searched for a specific hashtag (“https://www[.]kooapp[.]com/tag/[hashtag]”).

The latest update also addressed another critical flaw in the Koo app, discovered by security researcher Prasoon Gupta, that could have allowed remote attackers to access any user account without requiring a password or user interaction.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.