A major security vulnerability was recently discovered in Koo, an India-developed Twitter-like service. As per the available details, the vulnerability could have been used to install and execute arbitrary JavaScript code on hundreds of thousands of users. Fortunately, a patch has been released to fix the security flaw.
A report about the vulnerability found in Koo reveals that the issue stems from a stored cross-site scripting flaw in Koo’s online application. According to researchers, this flaw allows attackers to plant malicious scripts inside the vulnerable web application.
To perform an attack, an attacker just had to log into the service via the web application and submit an XSS-encoded payload to the timeline. That payload would then automatically get executed for everyone who saw the post.
A security researcher, Rahul Kankrale, identified the vulnerability and reported it, after which a patch with a fix was released by Koo on the 3rd of July.
Cross-site scripting allows an attacker to take advantage of vulnerabilities in the web browser to carry out tasks on behalf of users with the same rights as the user. For example, cross-site scripting allows an attacker to steal authentication cookies stored in the browser.
Malicious JavaScript has the ability to access all of the web page’s resources, which may enable a malicious actor to distribute fake information, display spam messages from the profile of the user, or access his personal data and private messages.
What is most concerning about this security flaw found in Koo is that it acts as an XSS worm, spreading malicious code automatically to all platform visitors and infecting other users in a chain reaction without any interaction required from the user.
To make sure that Koo’s customers are protected from XSS attacks, the company also fixed a reflected XSS vulnerability in the hashtag feature. As per what has been explained, this vulnerability could allow an adversary to send malicious JavaScript code in the endpoint used to search for a particular hashtag.
For those who are seeking an Indian alternative to Twitter, Koo, which debuted in November 2019, claims to have 6 million active users on its site. The Bengaluru-based business also seems to be a popular social media platform in Nigeria after the country permanently banned Twitter in relation to a scandal related to deleting a tweet published by Nigerian President Muhammadu Buhari.
Leave a Comment