Koo, India's homegrown Twitter clone, recently patched a serious security vulnerability that could have been exploited to execute arbitrary JavaScript code against hundreds of thousands of its users, spreading the attack across the platform.
The vulnerability involves a stored cross-site scripting flaw (also known as persistent XSS) in Koo's web application that allows malicious scripts to be embedded directly into the affected web application.
To carry out the attack, all a malicious actor had to do was log into the service via the web application and post an XSS-encoded payload to its timeline, which automatically gets executed on behalf of all users who saw the post.
The issue was discovered by security researcher Rahul Kankrale in July, following which a fix was rolled out by Koo on July 3.
Using cross-site scripting, an attacker can perform actions on behalf of users with the same privileges as the user and steal web browser's secrets, such as authentication cookies.
Due to the fact that malicious JavaScript has access to all objects that the website can access, it could allow adversaries to sneak into sensitive data such as private messages, or spread misinformation, or display spam using users' profiles.
The end result of this vulnerability in Koo, also known as XSS worm, is more worrisome because it automatically propagates malicious code among a website's visitors to infect other users—without any user interaction, like a chain reaction.
Koo, which launched in November 2019, bills itself as an Indian alternative to Twitter and boasts of 6 million active users on its platform. The Bengaluru-based company has also emerged as the social media service of choice in Nigeria after the country indefinitely banned Twitter for deleting a tweet by Nigerian President Muhammadu Buhari.
Aprameya Radhakrishna, co-founder, and chief executive officer of Koo, announced the entry of the app into the Nigerian market earlier this week.
Also patched was a reflected XSS vulnerability associated with the hashtag feature, thus allowing an adversary to pass malicious JavaScript code in the endpoint used for searching for a specific hashtag ("https://www[.]kooapp[.]com/tag/[hashtag]").
The fixes follow another critical vulnerability in the Koo app was patched earlier this February that could have allowed attackers to gain access to any user account on the platform without requiring a password or user interaction.
It was discovered by Prasoon Gupta, an independent security researcher. In an interview with The Hacker News, Prasoon explained that the vulnerability arises due to the way the app validates access tokens when a user is authenticated with a phone number and an one-time password (OTP) sent to it.
The disclosure comes a little over a month after similar XSS-related vulnerabilities were uncovered in Microsoft's Edge browser, which can be exploited to trigger an attack simply by adding a comment to a YouTube video or sending a Facebook friend request from an account that contains non-English language content accompanied by an XSS payload.