An exploitable security flaw in Koo, India’s native twitter-clone, could have been used to execute arbitrary JavaScript code against hundreds of thousands of its users, resulting in a platform-wide attack.
As a result of a stored cross-site scripting issue (also known as persistent XSS), malicious scripts can be incorporated directly into Koo’s compromised web application.
One only needed a web browser to access the service and upload an XSS-encoded file to its timeline, which was then executed on behalf of all users who saw it.
An Indian security researcher detected the flaw in July, and Koo released a remedy on July 3.
Unauthorized users can do operations on behalf of the user using cross-site scripting, and web browser secrets like authentication cookies can be stolen.
An adversary could steal sensitive data, such as private communications, or disseminate misinformation or spam using user profiles if a malicious JavaScript script has access to all objects that a website is allowed to access.
In Koo, the XSS worm, the vulnerability automatically spreads malicious code among website visitors to infect other users, like a chain reaction.
Since its inception in November 2019, Koo has amassed a following of 6 million active users. India’s social media site of choice has also been established in Nigeria, where Twitter was banned indefinitely for deleting a tweet by its president Muhammadu Buhari.
Koo’s co-founder and CEO, Aprameya Radhakrishna, announced the app’s introduction into the Nigerian market in recent weeks.
In addition, the hashtag feature was patched for a reflected XSS vulnerability, which might allow an adversary to inject malicious JavaScript code into the URL used to search for a certain hashtag (“https://www[.]kooapp[.]com/tag/[hashtag]”).
The fixes follow a critical vulnerability that was patched in February that allowed attackers to get access to any Koo user account without requiring a password or user interaction from users.
(Insert Image)
It was discovered by a security researcher who was working independently. “The vulnerability is due to the way in which access tokens are validated when a user authenticates using a phone number and an OTP provided to the app,” he said.
About a month ago, Microsoft’s Edge browser was found to have similar XSS vulnerabilities, which may be exploited by submitting a YouTube remark or sending a Facebook friend request from an account with non-English language content that includes an XSS payload.
To read more, please check eScan Blog
