.png)
Koo, an Indian microblogging platform that offers a Twitter-like experience in some Indian languages, has been accused of exposing its users' personal data by French security researcher Robert Baptiste, who goes by the pseudonym Elliot Alderson (@fs0c131y on Twitter). Baptiste has, in the past, exposed flaws in various government apps and websites, including the government-mandated Aarogya Setu app, which the Indian authorities have vehemently refuted.
Koo, which is available on desktop, iOS, and Android, offers a Twitter-like experience in Indian languages. The app had won the government's Digital India AatmaNirbhar Bharat Innovate Challenge last year, which was meant to encourage local app development. Koo has been developed by Aprameya Radhakrishna, who is also the Co-Founder and CEO of the platform that was launched in March last year.
Baptiste said that he spent 30 minutes on Koo at the request of users on Twitter and found that the microblogging platform was exposing sensitive information of its users, such as email addresses, names, gender, and more. He also posted a series of tweets to detail his findings about Koo.
Through screenshots posted on Twitter, Baptiste appears to suggest that it was fairly easy for him to get to the personal information of users of Koo. He said the app leaked personal data of its users including email, date of birth, marital status, and gender. In more screenshots, Baptiste also suggested that Koo had a domain registered in the US with the registrant based in China.
You asked so I did it. I spent 30 min on this new Koo app. The app is leaking of the personal data of his users: email, dob, name, marital status, gender, ... https://t.co/87Et18MrOg pic.twitter.com/qzrXeFBW0L
— Elliot Alderson (@fs0c131y) February 10, 2021
And it's down pic.twitter.com/FdSvIiYNA2
— Elliot Alderson (@fs0c131y) February 10, 2021
Responding to the claims of Baptiste, Radhakrishna on Twitter posted the 'exposed' user data was available publicly anyway. He said, "The data visible is something that the user has voluntarily shown on their profile of Koo. It cannot be termed a data leak. If you visit a user profile you can see it anyway." Baptiste termed the response a "lie".
@aprameya the screenshots of the 1st tweet has been done on this profile. Where do you see her dob? Her gender? Her marital status? pic.twitter.com/RCkTfJU1Vw
— Elliot Alderson (@fs0c131y) February 11, 2021
Radhakrishnan separately tweeted, "95 percent of Koo users login through their mobile phone number. Language communities of India do not use email to login and hence was not the priority of the company. Email login was introduced recently. Now that concerns have been raised it has already been blocked from view."
Later he tweeted, "We are an Indian company registered in India and servers are in India." The screenshot attached to this tweet showed that kooapp.com is registered in India.
We are an Indian company registered in India and servers are in India. pic.twitter.com/NMe80IR99s
— Aprameya R (@aprameya) February 11, 2021
After Twitter had refused to block accounts of journalists, politicians, and activists tweeting on farmers' protests, many BJP politicians, ministers and even some government ministries got their handles on the Indian look-alike and they also started promoting the app.
Baptiste also shared the Whois record for the domain kooapp.com, which shows a Chinese connection, but that is not entirely accurate. The domain details that he shared, are part of the historical ownership of the domain. The record reveals that it was created close to four years ago and since then has changed hands several times. Its latest owner, which is Bombinate Technologies Private Limited, came to own it only in late 2019. Bombinate is the company behind Koo. It is worth noting that it is not unusual for domain addresses to change hands.
But there is some indirect Chinese connection to it. Koo co-founder Aprameya R said that a Chinese firm, Shunwei, which had invested in a vernacular question and answer sharing app Vokal owned by the same company that runs Koo, "will be exiting fully".
Source: indiatoday.in, gadgets.ndtv.com, ndtv.com
Written by Siddhant Sharma
.png)
Thank you for your comment