The vulnerability involves a stored cross-site scripting flaw (also known as persistent XSS) in Koo’s web application that allows malicious scripts to be embedded directly into the affected web application.
To complete the attack, all a malicious actor had to do was log into the service through the web application and post an XSS encoded payload on its timeline, which is automatically executed on behalf of all. users who viewed the post.
The issue was discovered by security researcher Rahul Kankrale in July, after which a fix was rolled out by Koo on July 3.
Using cross-site scripts, an attacker can perform actions on behalf of users with the same privileges as the user and steal web browser secrets, such as authentication cookies.
The end result of this vulnerability in Koo, also known as the XSS worm, is more worrying as it automatically spreads malicious code among website visitors to infect other users, without any user interaction. , like a chain reaction.
Koo, which was launched in November 2019, promotes itself as an Indian alternative to Twitter and has 6 million active users on its platform. The Bengaluru-based company has also emerged as Nigeria’s social media service of choice after the country indefinitely banned Twitter for deleting a tweet from Nigerian President Muhammadu Buhari.
Aprameya Radhakrishna, co-founder and CEO of Koo, announced the app’s entry into the Nigerian market earlier this week.
The fixes follow another critical vulnerability in the Koo application that was patched earlier in February, which could have allowed attackers to access any user account on the platform without requiring password or user interaction.
It was discovered by Prasoon Gupta, an independent security researcher. In an interview with The Hacker News, Prasoon explained that the vulnerability is due to the way the application validates access tokens when a user is authenticated with a one-time phone number and password (OTP ) sent to him.
The disclosure comes just over a month after similar XSS-related vulnerabilities were discovered in Microsoft’s Edge browser, which can be exploited to trigger an attack simply by adding a comment to a YouTube video or sending a request. Facebook friend from an account that contains non-English content along with an XSS payload.