Feeds

Chick-lit star snubs Menshn.com password flaw alert

'Snippy geek' finds fresh holes in MP's web-jabber thing

Next gen security for virtualised datacentres

Updated A security researcher has warned of new vulnerabilities in Tory MP and former chick-lit queen Louise Mensch's three-month-old chatroom-cum-microblogging service.

A "trivial" CSRF attack (‪cross-site request forgery‬) can change a Menshn.com user's password, according to developer Danny Moules. El Reg has seen proof-of-concept code developed by Moules (@Rushyo) – which has not been publicly released – that backs up his concerns. Assuming targets are logged into Menshn.com, any third-party site might be able to change a victim's Menshn password and registered email address, by using the unresolved CSRF vulnerability on the site to forge requests.

However, both Louise Mensch and the site's co-founder Luke Bozier, a one-time Labour party flack who defected to the Tories earlier this year, were quick to dismiss concerns about the alleged flaw when approached for comment by El Reg.

Bozier responded: "My official response to the security hole would be that we take all of these things very seriously and where there are flaws we fix them straight away. As with any piece of technology, there is always a chance of vulnerabilities - the important thing is to ensure they're fixed rapidly. I maintain that no user data has been stolen and menshn goes above and beyond to ensure the platform is secure, including the use of https encryption as a basic requirement for all users."*

Mensch added: "Passwords are encrypted: HTTPS."

Menshn.com was the subject of a barrage of criticism from security experts when it launched in the UK back in June. Bozier described critics at the time as "snippy geeks".

Since its launch, Menshn has mandated the use of an SSL encrypted tunnel for password exchange and applied a basic filter to stop basic XSS (cross-site scripting) attacks. However many problems remain, according to Moules.

Moules told El Reg: "The CSRF is just the latest in a long list of issues they've had, many of which are still at large. Some people are actively exploiting some XSS holes using a technique that I warned them about months ago (a 'social network worm', so to speak)."

Nick Shearer, a London-based mobile software engineer, who was among the first to document XSS issues on Menshn.com back in June, said that the latest CSRF flaw warning is all too credible.

"It definitely looks sound. I haven't tested it because CSRF attacks are a bit more serious than XSS scripting, and English law takes a fairly backwards view of doing this sort of thing, even with the best of intentions. But there's nothing in that code that suggests it's not a real exploit," he told El Reg.

Menshn.com social network aims to differentiate from other web jabber services such as Twitter by offering online chat rooms featuring on-topic discussion around a particular theme, such as UK politics or the Paralympics. Posted comments are deleted after a week and Menshn promises to offer an environment free of spam and trolls. ®

Bootnote

Sadly, the quote below – originally attributed to Bozier and which had already been a contender for El Reg glory in our Quote of a Week column – actually originated from a Twitter impersonator, according to the Menshn co-founder:

Not true at all. Menshn is 100% secure. There has never been a CSRF attack and I'm sure I know how to Google what that is.

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.