What was touted as a new “Indian” messaging app that can take on giants like WhatsApp, launched by controversial yoga guru Baba Ramdev, has turned out to be a security nightmare.
Within hours of the launch, the app was taken apart by security researchers who found major gaps in its security architecture.
Ramdev has built a multibillion-dollar empire running a fast-moving consumer goods (FMCG) firm by positioning it as an “indigenous Indian” entity, but his rise is also attributed to his proximity to the Narendra Modi government, and he is also seen at some rallies with the Indian prime minister.
For now, the “Kimbho App,” as it was named by Ramdev’s firm, has been withdrawn after security researchers took to Twitter to start reporting major vulnerabilities in its code. The firm claimed that it issued it only on a “trial basis”and it was a “work in progress.” French security researcher Robert Baptiste, posing under the pseudonym of Eliot Anderson on Twitter, was the first to raise concerns.
Baptiste, who has been focusing on India for a while, pointing out massive security loopholes in its ambitious digital identity project Aadhaar, trained his guns on the Kimbho App. He immediately discovered that it was not an “Indian” application to start with, and was actually using an American app that was little known in the Indian market. Kimbho was basically Bolo Messenger, an instant messaging app, as it was using its basic code structure, Baptiste pointed out.
Security researchers with Pune-based Payatu Labs were also quick to find major bugs and vulnerabilities and immediately sent a detailed report to Ramdev’s firm to alert it about the leaks.
“We found the authentication mechanism was weak and any cyber attacker can log in to anyone’s account,” Payatu director Aseem Jakhar told Asia Times. “”There is end-to-end encryption but it can be easily bypassed and anyone can read the messages being sent and received on the platform. Even the server has simple security issues and we could see it was leaking information that revealed personal sensitive data of any one who had signed up for the service,” he said.
Payatu’s security researcher, Arun Magesh, was the first to spot these flaws and immediately sent across a detailed report to the firm. “The API call to request for Access token has no authentication, the attacker can gain complete access to the account by requesting the access token of any phone number,” he wrote in his report, a copy of which was shared with Asia Times.
Another researcher, who identified himself as “@_Rishi_” on Twitter and is with Pro Hack, also pointed out how the basic code was “leaking contacts, has open API” (application programing interface) among other vulnerabilities. As Magesh from Payatu also reported, the app can be “reversed and manipulated in real time.” Even the basic encryption key, which is used to provide some security to messages on the platform, was in plain text and anyone who could decompile the app would have access, he reported.
Ramdev, who has been controversial for the phenomenal growth of his FMCG firm, is also believed to be close to the ruling Bharatiya Janata Party. He has been trying to ride the “nationalism” wave that is espoused by the Modi government, but has often proved to be controversial. The latest faux pas of his messaging app is likely to undermine his reputation even further.