[BreachExchange] French security researcher claims Twitter's desi rival Koo is 'leaking' personal data of users

Destry Winant destry at riskbasedsecurity.com
Mon Feb 15 10:24:27 EST 2021


https://www.businessinsider.in/tech/apps/news/twitter-alternative-indians-app-koo-is-exposing-personal-data-of-users-as-per-french-researcher/articleshow/80842475.cms

Koo app is reportedly exposing personal data of users, according to a
French security researcher. Koo is a desi alternative to Twitter and
allows its users to post short messages just like Twitter.

According to Robert Baptiste who goes by the pseudonym Elliot Alderson
(@fs0c131y), Koo is exposing sensitive user information like email
address, date of birth, gender and marital status.

Baptiste has, in the past, exposed flaws in various government apps
and websites, including the government-mandated Aarogya Setu app,
which the Indian authorities have vehemently refuted.

He posted his findings on Twitter, including screenshots of the code
he analyzed.

According to him, Koo has a domain registered in the US, but the
registrant of the domain is based in China. The founders recently
admitted to having a Chinese investor who, they said, would be bought
out.

We have reached out to Koo for a comment on the matter and will update
the story with their statement when we receive it.

Koo’s co-founder Aprameya Radhakrishna took to Twitter to downplay the ‘leak’.

Koo is being backed by Indian ministers as an alternative to Twitter

Koo has gained popularity of late after India’s ministers and
pro-government activists started a #BanTwitter campaign on Twitter.
They also started promoting Koo, which also saw Indian ministers like
Piyush Goyal chip in with a tweet nudging his followers to join him on
the app.

Prime Minister Narendra Modi also promoted Koo in one of his monthly
addresses to the people. The app also won the government’s Digital
India AtmaNirbhar Bharat Innovate Challenge in 2020.

The 10-month-old app has over 3 million downloads now, registering 10x
growth since December, 2020.


More information about the BreachExchange mailing list