Feeds

Chick-lit star snubs Menshn.com password flaw alert

'Snippy geek' finds fresh holes in MP's web-jabber thing

Top 5 reasons to deploy VMware with Tegile

Updated A security researcher has warned of new vulnerabilities in Tory MP and former chick-lit queen Louise Mensch's three-month-old chatroom-cum-microblogging service.

A "trivial" CSRF attack (‪cross-site request forgery‬) can change a Menshn.com user's password, according to developer Danny Moules. El Reg has seen proof-of-concept code developed by Moules (@Rushyo) – which has not been publicly released – that backs up his concerns. Assuming targets are logged into Menshn.com, any third-party site might be able to change a victim's Menshn password and registered email address, by using the unresolved CSRF vulnerability on the site to forge requests.

However, both Louise Mensch and the site's co-founder Luke Bozier, a one-time Labour party flack who defected to the Tories earlier this year, were quick to dismiss concerns about the alleged flaw when approached for comment by El Reg.

Bozier responded: "My official response to the security hole would be that we take all of these things very seriously and where there are flaws we fix them straight away. As with any piece of technology, there is always a chance of vulnerabilities - the important thing is to ensure they're fixed rapidly. I maintain that no user data has been stolen and menshn goes above and beyond to ensure the platform is secure, including the use of https encryption as a basic requirement for all users."*

Mensch added: "Passwords are encrypted: HTTPS."

Menshn.com was the subject of a barrage of criticism from security experts when it launched in the UK back in June. Bozier described critics at the time as "snippy geeks".

Since its launch, Menshn has mandated the use of an SSL encrypted tunnel for password exchange and applied a basic filter to stop basic XSS (cross-site scripting) attacks. However many problems remain, according to Moules.

Moules told El Reg: "The CSRF is just the latest in a long list of issues they've had, many of which are still at large. Some people are actively exploiting some XSS holes using a technique that I warned them about months ago (a 'social network worm', so to speak)."

Nick Shearer, a London-based mobile software engineer, who was among the first to document XSS issues on Menshn.com back in June, said that the latest CSRF flaw warning is all too credible.

"It definitely looks sound. I haven't tested it because CSRF attacks are a bit more serious than XSS scripting, and English law takes a fairly backwards view of doing this sort of thing, even with the best of intentions. But there's nothing in that code that suggests it's not a real exploit," he told El Reg.

Menshn.com social network aims to differentiate from other web jabber services such as Twitter by offering online chat rooms featuring on-topic discussion around a particular theme, such as UK politics or the Paralympics. Posted comments are deleted after a week and Menshn promises to offer an environment free of spam and trolls. ®

Bootnote

Sadly, the quote below – originally attributed to Bozier and which had already been a contender for El Reg glory in our Quote of a Week column – actually originated from a Twitter impersonator, according to the Menshn co-founder:

Not true at all. Menshn is 100% secure. There has never been a CSRF attack and I'm sure I know how to Google what that is.

Beginner's guide to SSL certificates

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?