Koo, Nigerian govt’s replacement for Twitter, shown to be vulnerable to malicious attacks

Koo, India’s homegrown Twitter clone, has announced it recently fixed a serious security vulnerability that could have been exploited to execute arbitrary JavaScript code against hundreds of thousands of its users, spreading the attack across the platform.

According to a report issued on Friday by TheHackerNews, the vulnerability involves a stored cross-site scripting flaw (also known as persistent XSS) in Koo’s web application that allows malicious scripts to be embedded directly into the affected web application.

To carry out the attack, all a malicious actor had to do was log into the service via the web application and post an XSS-encoded payload to its timeline, which automatically gets executed on behalf of all users who saw the post.

The issue was discovered by security researcher Rahul Kankrale in July, following which a fix was rolled out by Koo on July 3.

Using cross-site scripting, an attacker can perform actions on behalf of users with the same privileges as the user and steal web browser’s secrets, such as authentication cookies.

READ ALSO: Atiku denies reports about using Koo Social Media App, cautions against impersonators

Due to the fact that malicious JavaScript has access to all objects that the website can access, it could allow adversaries to sneak into sensitive data such as private messages, or spread misinformation, or display spam using users’ profiles.

The end result of this vulnerability in Koo, also known as the XSS worm, is more worrisome because it automatically propagates malicious code among a website’s visitors to infect other users—without any user interaction, like a chain reaction.

Koo, which launched in November 2019, bills itself as an Indian alternative to Twitter and boasts of six million active users on its platform.

The Bengaluru-based company has also emerged as the social media service of choice by the Federal Government after Nigeria indefinitely banned Twitter for deleting a tweet by President Muhammadu Buhari.

Join the conversation

Opinions

Support Ripples Nigeria, hold up solutions journalism

Balanced, fearless journalism driven by data comes at huge financial costs.

As a media platform, we hold leadership accountable and will not trade the right to press freedom and free speech for a piece of cake.

If you like what we do, and are ready to uphold solutions journalism, kindly donate to the Ripples Nigeria cause.

Your support would help to ensure that citizens and institutions continue to have free access to credible and reliable information for societal development.

Donate Now