Viral Indian social media app Koo may not be the most secure platform as people expected. While the Ministry of Electronics and IT (MeitY) and some other government departments in India set up accounts on the made-in-India app, a French ethical hacker said he found that Koo is leaking personal data of the users and has major flaws.
Over one million people have already installed the app after reports said that Twitter refused to comply with the government's directive to block some tweets and accounts. However, as per a recent blog post, the social media giant has permanently banned or hidden over 500 accounts in response to blocking orders it received from the Indian authorities.
The Koo App
The Indian version of Twitter, Koo, was co-founded by entrepreneurs Aprameya Radhakrishna and Mayank Bidwatka. This new microblogging site said that it has so far verified handles of MeitY, MyGov, Digital India, India Post, National Informatics Centre, National Institute of Electronics and Information Technology, Digi Locker, National Internet Exchange of India, Central Board of Indirect Taxes and Customs, among others, on its platform.
In a statement, Koo said: "Key organizations from the Ministry of Electronics and Information Technology (MEITY) have set up accounts on Koo, India's own micro-blogging platform. This move comes as a strategic response as an action against Twitter for not complying with the order for blocking around 257 Tweets and Twitter accounts which were tweeting about farmer genocide."
The app was launched in March 2020. The Prime Minister of India Narendra Modi also encouraged users to use the app in his "Mann Ki Baat" speech.
No Safety Assured
White hat hacker Robert Baptiste, who goes by Elliot Alderson on Twitter, said that his followers asked him to check the Koo app for any flaws. Alderson, who exposed flaws in India's Aadhaar as well as the Aarogya Setu app, found that the Indian app is leaking certain personal information from its user accounts.
The ethical hacker wrote on Twitter: "You asked so I did it. I spent 30 min on this new Koo app. The app is leaking the personal data of his users: email, dob, name, marital status, gender..."
He also shared three screenshots along with one image, suggesting that the app has Chinese connections. A snapshot of the app details which included the app's domain and registration information.
The domain shows the IP geolocation as the US and the name of the registrant is Tao Zhou. The state and the country of the registrant are shown as Jiangxi and China. Koo app used to count Chinese firm, Shunwei Capital, among its founders earlier. But according to reports, co-founder Radhakrishna said they are in the process of exiting the company.
In a subsequent tweet, Alderson also shared a screenshot that shows the message "no healthy upstream" under the Koo URL. He wrote: "And it's down".