According to a report issued on Friday by TheHackerNews, the vulnerability involves a stored cross-site scripting flaw (also known as persistent XSS) in Koo’s web application that allows malicious scripts to be embedded directly into the affected web application.
To carry out the attack, all a malicious actor had to do was log into the service via the web application and post an XSS-encoded payload to its timeline, which automatically gets executed on behalf of all users who saw the post.
The issue was discovered by security researcher Rahul Kankrale in July, following which a fix was rolled out by Koo on July 3.
Using cross-site scripting, an attacker can perform actions on behalf of users with the same privileges as the user and steal web browser’s secrets, such as authentication cookies.
The end result of this vulnerability in Koo, also known as the XSS worm, is more worrisome because it automatically propagates malicious code among a website’s visitors to infect other users—without any user interaction, like a chain reaction.
Koo, which launched in November 2019, bills itself as an Indian alternative to Twitter and boasts of six million active users on its platform.
The Bengaluru-based company has also emerged as the social media service of choice by the Federal Government after Nigeria indefinitely banned Twitter for deleting a tweet by President Muhammadu Buhari.
Join the conversation
Support Ripples Nigeria, hold up solutions journalism
Balanced, fearless journalism driven by data comes at huge financial costs.
If you are motivated and passionate about building a global society, founded on justice, equity, fairness, transparency, accountability and superior knowledge, kindly consider donating to Ripples Nigeria’s solutions journalism.
Your support would help to ensure that citizens and institutions continue to have free access to credible and reliable information for societal development.
INVESTIGATION: Inside UNILAG’s multi-million naira budgetary abuse and academic discord
The University of Lagos located in Nigeria’s commercial capital, Lagos, has been embroiled in controversies with allegations bothering on misappropriation of...
SPECIAL REPORT: Displaced residents of Zamfara battle hunger, as underfunding derails Nigeria’s nutrition goals
On paper, Muhammad Zayyanu is seven years old. The quiet boy who looks shorter for his age could not recollect...
INVESTIGATION: N7.3bn paid for unnamed projects; how Nigerian govt spent N2.2trn in six months
Analysing nearly 3,000 payments made by various Federal Government Ministries, Departments and Agencies (MDAs) over the previous six months (January...
INVESTIGATION… Delay rocks Nigerian govt’s promise of N30,000 covid-19 relief for artisans, others
Before the outbreak of the COVID-19 pandemic in February, 2020, Chukwudi Okoroigwe’s daily earnings as a bus driver was hardly enough to cater to the...
INVESTIGATION… Ten years after, communities count losses as AfDB, Cross River govt abandon road project
Ten years after the Cross River State government and African Development Bank (AFDB) jointly awarded the Yahe-Wanokom-Wanikade-Benue border road for...