9th August 2021, Kathmandu
India’s Koo app which is a Twitter-like Service was found Vulnerable to critical worm attacks.
A critical security vulnerability that could have been utilized to run arbitrary JavaScript code in the case of hundreds of thousands of its users, extending the attack over the platform.
Persistent XSS, a stored cross-site scripting flaw was the vulnerability found in Koo’s web application which let malicious scripts be inserted directly into the pompous web application.
The attack could simply be carried out by a malicious actor by logging into the service with the web application and publish an XSS-encoded payload to its timeline, that automatically gets implemented on behalf of all the users who viewed the post.
Rahul Kankrale, a security analyst in July, found the issue ensuing which a fix was introduced on July 3.Using cross-site scripting, an attacker can perform actions on behalf of users with equivalent privileges because the user and steal web browser’s secrets, like authentication cookies.
It could let antagonists creep into crucial data such as private messages, or unroll misinformation, or publish spam using the user’s profile, as of the fact that malicious JavaScript has authority over everything that the website can access.
The XSS worm, end result of this vulnerability in Koo is way more troublesome as it instinctively executes malicious code among a website’s visitors to contaminate other users- without any prior user interaction, like a chain reaction.
Koo, a Bengaluru-based company began in November 2019 as an Indian alternative to Twitter and boasts of 6 million active users on its platform, after the social media service of choice in Nigeria was indefinitely banned Twitter for deleting a tweet by Nigerian President Muhammadu Buhari.
Co-founder and Chief executive officer of Koo, Aprameya Radhakrishna, co-founder, reported the introduction of the app into the Nigerian market earlier this week.
Also patched was a reflected XSS vulnerability related to the hashtag feature, thus allowing an adversary to pass malicious JavaScript code within the endpoint used for checking out a selected hashtag (“https://www[.]kooapp[.]com/tag/[hashtag]”).
The fixes follow another critical vulnerability within the Koo app that was patched earlier this February that might have allowed attackers to understand access to any user account on the platform without requiring a password or user interaction.
It was discovered by Prasoon Gupta, an independent security researcher. In an interview with The Hacker News, Prasoon explained that the vulnerability arises because of the way the app validates access tokens when a user is authenticated with a phone number and a one-time password (OTP) sent thereto.
The disclosure comes to touch over a month after similar XSS-related vulnerabilities were uncovered in Microsoft’s Edge browser, which may be exploited to trigger an attack just by adding a comment to a YouTube video or sending a Facebook friend request from an account that contains non-English language content amid an XSS payload.
