Koo app found to be leaking sensitive users data, China connection surfaces

As Koo gains momentum -- three million downloads in the last 24 hours or so -- as many in India believe that they should be using a desi aka Atmanirbhar app, the app has also started attracting scrutiny. How safe is it? That is the question. According to a french security researcher, the answer is that Koo is not very safe and that currently it is leaking a lot of sensitive user information including email ID, phone numbers and date of birth.

French cybersecurity researcher Robert Baptiste, popularly known as Elliott Anderson due to his Twitter account, has looked at Koo and has found that it is a fairly leaky app. Baptiste earlier made news after highlighting several vulnerabilities in the Aadhaar system. He has also earlier highlighted a number of security bugs and vulnerabilities in other tech services.

Last night, Baptiste tweeted: "You asked so I did it. I spent 30 min on this new Koo app. The app is leaking of the personal data of his users: email, dob, name, marital status, gender."

If we go by what his screenshots have shared, it is clear that Koo is leaking some sensitive details and it is possible that data of millions of users have already been leaked or scrapped, including data of Indian government departments and ministers who have joined the service.

As India and Twitter tussle, after Twitter refused to block a few accounts of journalists, politicians, and activists tweeting on farmers' protests, a push has been started by many to an Atmanirbhar social media app. Now, the Ministry of Electronics and Information Technology (MeitY) and other government departments have verified handles on Koo.

"I am now on Koo. Connect with me on this Indian micro-blogging platform for real-time, exciting and exclusive updates. Let us exchange our thoughts and ideas on Koo," minister Piyush Goyal said on Twitter recently.

Baptiste is not the only one who has found a bug. Replying to his tweet, another user noted: "It's storing user tokens as frontend global variables if you know the token info of a user. go to /create you can directly put values in here, with inspecting mode which I think will enable the compose button and you can remotely tweet to that account with the token info."

Chinese connection? Yes and no

Baptiste also shared the Whois record for domain Kooapp.com, which shows a Chinese connection but that is entirely accurate. The domain details that Baptiste shared are part of the historical ownership of the domain. The record reveals that it was created close to four years ago and since then has changed hands several times. Its latest owner, which is Bombinate Technologies Private Limited, came to own it only in late 2019. Bombinate is the company behind Koo.

It is worth noting that it is not unusual for domain addresses to change hands and it is entirely possible that the domain which is currently used by an NGO in the past belonged to a company selling illegal drugs.

But there is a Chinese connection to the Koo app, and this is a small investment in the company by Shunwei. Connected to Xiaomi, Shunwei is a venture capital fund, which invests in startups. However, now that Koo is pitching itself as a. total Atmanirbhar app, it says that Shunwei would be existing the company and would sell its stake soon. The Koo co-founder on Wednesday tweeted, "Koo is an India registered company with Indian founders. Raised earlier capital 2.5 years ago. The latest funds for Bombinate Technologies are led by a truly Indian investor 3one4 capital. Shunwei (single digit shareholder) which had invested in our Vokal journey will be exiting fully.

There also seems to be confusion about the app's real Twitter account. While people have so far been believing that the Koo app is tweeting from @kooappofficioal, its co-founder Aprameya Radhakrishna last night said that the official account of Koo on Twitter is at @kooindia. He tweeted, "The official account of #kooapp is @kooindia. Please note."