- Robert Baptiste, who goes by the name Elliot Alderson on Twitter, has found Koo is leaking sensitive user data.
- Baptiste also says that Koo has a China connection
- Though Koo does have a Chinese investor, who is reportedly now selling the stake.
As Koo gains momentum -- three million downloads in the last 24 hours or so -- as many in India believe that they should be using a desi aka Atmanirbhar app, the app has also started attracting scrutiny. How safe is it? That is the question. According to a French security researcher, Koo is not very safe, and currently, it is leaking a lot of sensitive user information including email ID, phone numbers and date of birth.
French cybersecurity researcher Robert Baptiste, popularly known as Elliott Anderson on Twitter, has looked at Koo and has found that it is leaking some user data. Baptiste earlier grabbed headlines after highlighting several vulnerabilities in the Aadhaar system. He has also highlighted a number of security bugs and vulnerabilities in other tech services.
Update: Reacting to the data leaks, Koo has said, "Users enter their profile data on the app to be shared with others on the platform. That's what's displayed everywhere across the platform. While there have been false allegations of a data leak, it's just commonly called the public profile page for all users to view!"
Talking about the Chinese investment, the company in a statement said, "Koo takes pride in being an Indian company with Indian founders and in being registered here. The recent investment in Bombinate Technologies Koo's parent company was by Mohandas Pai of 3one4 Capital, an Indian investor. Shunwei, a single-digit shareholder that had invested in Vokal, another start-up of ours which answers user questions in Indian languages, will be exiting fully. Bombinate is the parent company of Vokal and Koo."
Last night, Baptiste tweeted: "You asked so I did it. I spent 30 min on this new Koo app. The app is leaking personal data of its users: email, dob, name, marital status, gender."
If we go by the screenshots he has shared, it is clear that Koo is leaking some sensitive details and it is possible that data of millions of users have already been leaked or scrapped, including data of Indian government departments and ministers who have joined the service.
After Twitter refused to block accounts of journalists, politicians, and activists tweeting on farmers' protests, a push has been started by many to an Atmanirbhar social media app. Now, the Ministry of Electronics and Information Technology (MeitY) and other government departments have verified handles on Koo.
"I am now on Koo. Connect with me on this Indian micro-blogging platform for real-time, exciting and exclusive updates. Let us exchange our thoughts and ideas on Koo," minister Piyush Goyal said on Twitter recently.
Baptiste is not the only one who has found a bug. Replying to his tweet, another user noted: "It's storing user tokens as frontend global variables if you know the token info of a user. go to /create you can directly put values in here, with inspecting mode which I think will enable the compose button, and you can remotely tweet to that account with the token info."
Chinese connection? Yes and no
Baptiste also shared the Whois record for the domain Kooapp.com, which shows a Chinese connection, but that is not entirely accurate. The domain details that Baptiste shared a part of the historical ownership of the domain. The record reveals that it was created close to four years ago and since then has changed hands several times. Its latest owner, which is Bombinate Technologies Private Limited, came to own it only in late 2019. Bombinate is the company behind Koo.
It is worth noting that it is not unusual for domain addresses to change hands and it is entirely possible that the domain which is currently used by an NGO in the past belonged to a company selling illegal drugs.
But there is a Chinese connection to the Koo app, and this is a small investment in the company by Shunwei. Connected to Xiaomi, Shunwei is a venture capital fund, which invests in startups. However, now that Koo is pitching itself as a total Atmanirbhar app, it says that Shunwei would be existing the company and would sell its stake soon. The Koo co-founder on Wednesday tweeted, "Koo is an India registered company with Indian founders. Raised earlier capital 2.5 years ago. The latest funds for Bombinate Technologies are led by a truly Indian investor 3one4 capital. Shunwei (single-digit shareholder) which had invested in our Vokal journey will be exiting fully.
There also seems to be confusion about the app's real Twitter account. While people have so far been believing that the Koo app is tweeting from @kooappofficioal, its co-founder Aprameya Radhakrishna last night said that the official account of Koo on Twitter is at @kooindia. He tweeted, "The official account of #kooapp is @kooindia. Please note."
(With inputs from Milan Sharma)