HYDERABAD: Kimbho, the messaging application released by yoga guru Ramdev, was taken down on Thursday, barely hours after its launch. The app was taken down after security researchers found a series of major flaws in it. The researchers revealed that conversations between users were easy to hack and that anyone with basic knowledge could bypass OTP (one-time-password) registrations, a security feature used to verify valid logins.
On Wednesday, after Patanjali Ayurved Ltd had announced Patanjali-BSNL Swadeshi Samriddhi SIM cards, its co-founder Ramdev tweeted about the messaging app ‘Kimbho’, which was a part of their effort to come up with a ‘swadeshi’ counterpart to popular Facebook-owned WhatsApp. Hours after the announcement was made, security researchers dug into the app, only to open a can of worms.
It was found that security flaws in the app allowed one to register in someone else’s name, even without their consent. An 18-year-old ethical hacker from Delhi, who goes by the Twitter handle @dumbomanson, registered the phone number of this reporter to the app without having to ask for the OTP since.
“I didn’t even need my computer to do this,” he said explaining that the OTP was sent to the app from the server, which could be easily accessed by a hacker. “As it was easy to break into the app, I got the same OTP you received on your phone,” he explained. Robert Baptiste, a French security researcher put up a 30-second video on Twitter explaining the process. “It’s possible to choose a security code between 0001 and 9999 and send it to a phone number of your choice,” he tweeted.
Before the app was taken down, researchers also found that it was a “rip-off” of another application “bolo messenger” which has been around for two years. The website of ‘bolo messenger’ was found to be defunct.
SK Tijarawala, spokesperson for Patanjali, later on Thursday tweeted saying that “Our trial version of #kimbho app is no longer available for download on any platform. We don’t take any responsibility for many duplicate apps showing on anywhere. Beware!(sic)”