Koo, an Indian microblogging platform that offers a Twitter-like experience in Indian languages, has been accused of exposing its users' personal data by French security researcher Robert Baptiste, who goes by the pseudonym Elliot Alderson (@fs0c131y on Twitter). Baptiste said that he spent 30 minutes on Koo at the request of users on Twitter and found that the microblogging platform was exposing sensitive information of its users, such as email addresses, names, gender, and more. He also posted a series of tweets to detail his findings about Koo. The new Indian social media platform recently gained some traction after Twitter refused to block some accounts related to the ongoing farmers' protest at the request of the government.
Through screenshots posted on Twitter, Baptiste appears to suggest that it was fairly easy for him to get to the personal information of users of Koo. He said the app leaked personal data of its users including email, date of birth, marital status, and gender. In more screenshots, Baptiste also suggested that Koo had a domain registered in the US with the registrant based in China.
You asked so I did it. I spent 30 min on this new Koo app. The app is leaking of the personal data of his users: email, dob, name, marital status, gender, ... https://t.co/87Et18MrOg pic.twitter.com/qzrXeFBW0L— Elliot Alderson (@fs0c131y) February 10, 2021
The Indian Twitter lookalike Koo is being heavily promoted by government officials including Union Minister Piyush Goyal, who recently invited users to join him on the app via a post on Twitter. Koo, which is available on desktop, iOS, and Android, offers a Twitter-like experience in Indian languages. The app had won the government's Digital India AatmaNirbhar Bharat Innovate Challenge last year, which was meant to encourage local app development. Koo has been developed by Aprameya Radhakrishna, who is also the Co-Founder and CEO of the platform that was launched in March last year.
Responding to the claims of Baptiste, Radhakrishna on Twitter posted the 'exposed' user data was available publicly anyway. He said, "The data visible is something that the user has voluntarily shown on their profile of Koo. It cannot be termed a data leak. If you visit a user profile you can see it anyway." Baptiste termed the response a "lie".
In response to Baptiste's latest allegation, Radhakrishna said, "We're attempting to do something for our country, India. All help is appreciated. If you want to help out in this journey of ours please write to me on email@example.com and we can take a look at all the feedback you have. Thanks!"
Radhakrishnan separately tweeted, "95 percent of Koo users login through their mobile phone number. Language communities of India do not use email to login and hence was not the priority of the company. Email login was introduced recently. Now that concerns have been raised it has already been blocked from view."