Koo gains momentum — three million downloads in the last 24 hours or so — as many in India believe that they should be using a desi aka Atmanirbhar app, the app has also started attracting scrutiny. How safe is it? That is the question. According to a French security researcher, Koo is not very safe, and currently, it is leaking a lot of sensitive user information including email ID, phone numbers and date of birth.
French cybersecurity researcher Robert Baptiste, popularly known as Elliott Anderson on Twitter, has looked at Koo and has found that it is a fairly leaky app. Baptiste earlier grabbed headlines after highlighting several vulnerabilities in the Aadhaar system. He has also highlighted a number of security bugs and vulnerabilities in other tech services.
Update: Reacting to the data leaks, Koo has said, “Users enter their profile data on the app to be shared with others on the platform. That’s what’s displayed everywhere across the platform. While there have been false allegations of a data leak, it’s just commonly called the public profile page for all users to view!”
Last night, Baptiste tweeted that they asked and so he did it and that he had spent 30 min on this new Koo app. He also said that the app is leaking of the personal data of his users: email, dob, name, marital status, gender.
If we go by the screenshots he has shared, it is clear that Koo is leaking some sensitive details and it is possible that data of millions of users have already been leaked or scrapped, including data of Indian government departments and ministers who have joined the service.
After Twitter refused to block accounts of journalists, politicians, and activists tweeting on farmers’ protests, a push has been started by many to an Atmanirbhar social media app. Also the Ministry of Electronics and the nformation Technology (MeitY) along with other government departments have verified the handles on Koo.
Minister Piyush Goyal said on Twitter that he is now on Koo and he said to connect with him on this Indian micro-blogging platform for real-time, exciting and exclusive updates. He told them to exchange their thoughts and ideas on Koo.
Baptiste is not the only one who has found a bug. Replying to his tweet, one of the user said that storing user tokens as frontend global variables if they know the token info of a user.
Chinese connection? Yes and no
Baptiste also shared the Whois record for the domain Kooapp.com, which shows a Chinese connection but that is not entirely accurate. The domain details that Baptiste shared a part of the historical ownership of the domain. The record says that it was created near to about four years ago and since then he has also changed hands several times. Its latest owner, which is Bombinate Technologies Private Limited, came to own it only in the year 2019. Bombinate is the company behind Koo.
It is worth noting that it is not unusual for the domain addresses to change hands and that it is also entirely possible that the domain which is right now used by an NGO in the past belonged to a company selling illegal drugs.