14 DAY TRIAL // A security flaw in Koo's platform was uncovered, allowing attackers to run malicious JavaScript code against its users, according to The Hacker News. To keep the exploit from spreading, the platform patched the vulnerability. When security researcher Rahul Kankrale discovered the problem, Koo immediately responded by rolling out a remedy the next day.
The Koo contains a stored cross-site scripting vulnerability (also known as persistent XSS) that allows malicious scripts to be injected directly into the compromised web application. To initiate the attack, XSS-encoded payloads were employed, and anyone who encountered the message was in danger.
Cross-site scripting allows an attacker to perform activities on behalf of users who have the same privileges as the attacker while stealing web browser secrets such as authentication cookies from the victim's computer. Because malicious JavaScript has access to all the objects that a website can access, attackers could gain access to sensitive data such as private messages, spread misinformation, or display spam using the identities of website visitors.
The malicious code spreads without any intervention
An even more worrisome consequence is that the Koo vulnerability automatically spreads malicious code among website visitors in a chain reaction, without requiring action from the infected users themselves.
With 6 million active users on its website, Koo, which was launched in November 2019 and promotes itself as India's equivalent of Twitter, has quickly gained popularity in the country. Since the Nigerian government suspended Twitter after the president tweeted something inappropriate, the Bengaluru-based company has now become the best alternative social media platform in Nigeria.
A similar issue affecting Microsoft's Edge browser was uncovered this month, and it is possible to exploit it by sending a friend request or making a comment on a YouTube video using an XSS payload. These vulnerabilities were specifically developed to attack the Microsoft Edge browser.