India’s Koo App Found Vulnerable to Critical Worm Attacks

Critical Worm Attacks
Share It On:

9th August 2021, Kathmandu

India’s Koo app which is a Twitter-like Service was found Vulnerable to critical worm attacks.

A critical security vulnerability that could have been utilized to run arbitrary JavaScript code in the case of hundreds of thousands of its users, extending the attack over the platform.
Persistent XSS, a stored cross-site scripting flaw was the vulnerability found in Koo’s web application which let malicious scripts be inserted directly into the pompous web application.

The attack could simply be carried out by a malicious actor by logging into the service with the web application and publish an XSS-encoded payload to its timeline, that automatically gets implemented on behalf of all the users who viewed the post.

Rahul Kankrale, a security analyst in July, found the issue ensuing which a fix was introduced on July 3.Using cross-site scripting, an attacker can perform actions on behalf of users with equivalent privileges because the user and steal web browser’s secrets, like authentication cookies.
It could let antagonists creep into crucial data such as private messages, or unroll misinformation, or publish spam using the user’s profile, as of the fact that malicious JavaScript has authority over everything that the website can access.

The XSS worm, end result of this vulnerability in Koo is way more troublesome as it instinctively executes malicious code among a website’s visitors to contaminate other users- without any prior user interaction, like a chain reaction.

Koo, a Bengaluru-based company began in November 2019 as an Indian alternative to Twitter and boasts of 6 million active users on its platform, after the social media service of choice in Nigeria was indefinitely banned Twitter for deleting a tweet by Nigerian President Muhammadu Buhari.
Co-founder and Chief executive officer of Koo, Aprameya Radhakrishna, co-founder, reported the introduction of the app into the Nigerian market earlier this week.

Also patched was a reflected XSS vulnerability related to the hashtag feature, thus allowing an adversary to pass malicious JavaScript code within the endpoint used for checking out a selected hashtag (“https://www[.]kooapp[.]com/tag/[hashtag]”).

The fixes follow another critical vulnerability within the Koo app that was patched earlier this February that might have allowed attackers to understand access to any user account on the platform without requiring a password or user interaction.

It was discovered by Prasoon Gupta, an independent security researcher. In an interview with The Hacker News, Prasoon explained that the vulnerability arises because of the way the app validates access tokens when a user is authenticated with a phone number and a one-time password (OTP) sent thereto.

The disclosure comes to touch over a month after similar XSS-related vulnerabilities were uncovered in Microsoft’s Edge browser, which may be exploited to trigger an attack just by adding a comment to a YouTube video or sending a Facebook friend request from an account that contains non-English language content amid an XSS payload.


Share It On:

Recent Posts

Child Online Protection in Nepal: Insights From UNICEF and ChildSafeNet Dialogue

Child Online Protection in Nepal: Insights From UNICEF and ChildSafeNet

Share It On:21st December 2024, Kathmandu A high-level dialogue on child online protection organized by UNICEF, in partnership with ChildSafeNet,

Support Your NPL Team With Ncell’s Exclusive PRBTs

Support Your NPL Team With Ncell’s Exclusive PRBTs

Share It On:20th December 2024, Kathmandu As the finale of the Nepal Premier League (NPL), the ‘Festival of the Himalayas,’

Garima Bank Cash Dividend Proposal: 5% for Shareholders

Garima Bank Cash Dividend Proposal: 5% for Shareholders

Share It On: 20th December 2024, Kathmandu Garima Bikas Bank has announced its decision to offer a cash dividend to

Citizens Bank and SM Dental Partnership: Exclusive Discounts for Digital Payment Users

Citizens Bank and SM Dental Partnership: Exclusive Discounts for Digital

Share It On: 20th December 2024, kathmandu Citizens Bank International Limited has formed a strategic partnership with SM Dental and

Nabil Bank Toll-Free Number for Easy Banking Support: 24/7 Access to Assistance

Nabil Bank Toll-Free Number for Easy Banking Support: 24/7 Access

Share It On: 20th December 2024, kathmandu Nabil Bank Limited has rolled out a new initiative to improve customer support

Ncell Unlimited Data Saapati: 1-Day Internet for Prepaid Users with Low Balance

Ncell Unlimited Data Saapati: 1-Day Internet for Prepaid Users with

Share It On:20th December 2024, kathmandu  Ncell has started to provide Unlimited Data as Saapati, enabling customers to stay online