Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
  • County:
  • Country:
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

India’s Koo, a Twitter-like Service, Found Vulnerable to Critical Worm Attacks

August 6, 2021

Koo, India’s homegrown Twitter clone, not too long ago patched a severe safety vulnerability that might have been exploited to execute arbitrary JavaScript code towards a whole bunch of hundreds of its customers, spreading the assault throughout the platform.

The vulnerability includes a stored cross-site scripting flaw (also referred to as persistent XSS) in Koo’s internet software that permits malicious scripts to be embedded straight into the affected internet software.

To hold out the assault, all a malicious actor needed to do was log into the service by way of the online software and publish an XSS-encoded payload to its timeline, which routinely will get executed on behalf of all customers who noticed the publish.

Stack Overflow Teams

The difficulty was found by safety researcher Rahul Kankrale in July, following which a repair was rolled out by Koo on July 3.

Utilizing cross-site scripting, an attacker can carry out actions on behalf of customers with the identical privileges because the consumer and steal internet browser’s secrets and techniques, comparable to authentication cookies.

On account of the truth that malicious JavaScript has entry to all objects that the web site can entry, it may enable adversaries to sneak into delicate information comparable to non-public messages, or unfold misinformation, or show spam utilizing customers’ profiles.

The tip results of this vulnerability in Koo, also referred to as XSS worm, is extra worrisome as a result of it routinely propagates malicious code amongst an internet site’s guests to contaminate different customers—with none consumer interplay, like a sequence response.

Koo, which launched in November 2019, payments itself as an Indian various to Twitter and boasts of 6 million lively customers on its platform. The Bengaluru-based firm has additionally emerged because the social media service of alternative in Nigeria after the nation indefinitely banned Twitter for deleting a tweet by Nigerian President Muhammadu Buhari.

Prevent Data Breaches

Aprameya Radhakrishna, co-founder, and chief govt officer of Koo, introduced the entry of the app into the Nigerian market earlier this week.

Additionally patched was a reflected XSS vulnerability related to the hashtag function, thus permitting an adversary to cross malicious JavaScript code within the endpoint used for trying to find a selected hashtag (“https://www[.]kooapp[.]com/tag/[hashtag]”).

The disclosure comes slightly over a month after comparable XSS-related vulnerabilities have been uncovered in Microsoft’s Edge browser, which could be exploited to set off an assault just by including a remark to a YouTube video or sending a Fb pal request from an account that accommodates non-English language content material accompanied by an XSS payload.

Posted in SecurityTags:
Write a comment