Koo, an Indian microblogging platform that offers a Twitter-like experience in Indian languages, has been accused of exposing its users’ personal data by French security researcher Robert Baptiste, who goes by the pseudonym Elliot Alderson (@fs0c131y on Twitter). Baptiste said that he spent 30 minutes on Koo at the request of users on Twitter and found that the microblogging platform was exposing sensitive information of its users, such as email addresses, names, gender, and more. He also posted a series of tweets to detail his findings about Koo. The new Indian social media platform recently gained some traction after Twitter refused to block some accounts related to the ongoing farmers’ protest at the request of the government.
Through screenshots posted on Twitter, Baptiste appears to suggest that it was fairly easy for him to get to the personal information of users of Koo. He said the app leaked personal data of its users including email, date of birth, marital status, and gender. In more screenshots, Baptiste also suggested that Koo had a domain registered in the US with the registrant based in China.
You asked so I did it. I spent 30 min on this new Koo app. The app is leaking of the personal data of his users: email, dob, name, marital status, gender, … https://t.co/87Et18MrOg pic.twitter.com/qzrXeFBW0L
— Elliot Alderson (@fs0c131y) February 10, 2021
The Indian Twitter lookalike Koo is being heavily promoted by government officials including Union Minister Piyush Goyal, who recently invited users to join him on the app via a post on Twitter. Koo, which is available on desktop, iOS, and Android, offers a Twitter-like experience in Indian languages. The app had won the government’s Digital India AatmaNirbhar Bharat Innovate Challenge last year, which was meant to encourage local app development. Koo has been developed by Aprameya Radhakrishna, who is also the Co-Founder and CEO of the platform that was launched in March last year.