Koo vulnerable to worm attacks
A critical flaw was discovered in Koo, an India-based service just like Twitter. The exploitation of the vulnerability could lead to execute JavaScript code against its users, allowing the attack to be spread all over the platform. Luckily Koo has been successful in releasing a patch for the vulnerability.
Koo has identified the origin of the attack to be a stored cross-site scripting (XSS) flaw in Koo’s online application. Experts state that XSS attacks enable attackers to inject client-side scripts into vulnerable web pages viewed by other users. To cause the attack, the actor just needs to log into the service through the web app and submit an XSS-encoded payload to the timeline. Whoever sees the post will be affected through the payload.
Malicious JavaScript allows access to all the web page’s resources. This enables the attacker to perform activities from the user’s profile. These actions involve fake information distribution and spam messages display, along with granting access to personal and other private messages.
Koo, a social media app, started it operations in November 2019. It is currently operating as an Indian homegrown alternative to Twitter. Koo has made its footprint in the market through 6 million active users. It has also gained popularity in Nigeria when Twitter was banned in the region. As per the analytics provider Sensor Tower, in the year 2020, Koo experienced 2.6 million installs from Indian app stores.
Rahul Kankrale, a Security Expert, discovered the flaw and reported it, after which Koo was prompt enough to release a patch for it. The thing that is most dangerous in this vulnerability is the XSS worm. As a result, a ripple effect comes into action where the infection spreads to all platform visitors and subsequently to other users without much intervention from them.
To further save the users of the social media app from the attack, Koo also took a step to patch vulnerability in the hashtag feature. This vulnerability, if exploited, could conveniently send JavaScript code in the endpoint for particular hashtags.
