back to article Chick-lit star snubs Menshn.com password flaw alert

A security researcher has warned of new vulnerabilities in Tory MP and former chick-lit queen Louise Mensch's three-month-old chatroom-cum-microblogging service. A "trivial" CSRF attack (‪cross-site request forgery‬) can change a Menshn.com user's password, according to developer Danny Moules. El Reg has seen proof-of-concept …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    "Passwords are encrypted: HTTPS." - Oh, well that's OK then; Dozy bint.

  2. TeeCee Gold badge
    IT Angle

    Just out of interest.

    Does anyone use it, apart from its founders, the mates they've strongarmed into going there and security pros trying to punch holes in it?

    1. Anonymous Coward
      Anonymous Coward

      Re: Just out of interest.

      On a quick investigation, no. In fact, I'd say there are more security experts probing it than it has active users.

    2. Hieronymus Howerd

      Re: Just out of interest.

      Must admit I was a bit surprised to hear it was still going today! I had a quick look when it opened and it was just a couple of Americans sitting around going "hello? anybody here?"

      1. Midnight

        Re: Just out of interest.

        When did this conversation turn to Google Plus?

  3. Neil Brown

    "Passwords are encrypted: HTTPS"

    Any kind security person care to help me understand this? I thought https was a transport layer security, protecting data in the course of transmission, rather than protecting the passwords on the server? Would the use of https protect against / prevent a CSRF attack?

    1. CaptainHook

      Re: "Passwords are encrypted: HTTPS"

      Would the use of https protect against / prevent a CSRF attack?

      *****

      Short Anwser... No

      Long Anwser... No, but would stop packet sniffers from seeing what the attacker was doing :)

      1. Anonymous Coward
        Anonymous Coward

        Re: "Passwords are encrypted: HTTPS"

        As you say, HTTPS is a red herring here. If the article is correct, though, and you can use CSRF to change a user's password, then the password change mechanism is flawed anyway (with or without CSRF) - you should at least have to supply the current password when changing it (see CWE-620).

    2. benjymous

      Re: "Passwords are encrypted: HTTPS"

      Yeah, it's garbage. It's like your bank claiming their deposit boxes are safe, because they use an armoured car for their deliveries.

  4. Anonymous Coward
    Anonymous Coward

    Either

    ..this is the most subtle come-on ever to attract marks to a honeypot server, or someone is just facepalm-inducingly likely to get pwnt publically.

    If the latter, doubtless, La Mensch will talk about how it's all a misogynist plot or something. I hope it's some anon 14-year old girl with a distaste for Z-list psuedo-celebrity Tory wastes of skin that finally does the deed.

  5. frank ly

    "... Menshn promises to offer an environment free of spam and trolls. "

    A politician's promises, .... very reliable I'm sure.

  6. Anonymous Coward
    Facepalm

    "Not true at all. Menshn is 100% secure"

    Politicians and their ilk, they must even believe their own stupidity! Why am I not flabbergasted?

    1. Annihilator
      Go

      Indeed, 100% secure is basically encrypt the laptop, remove the battery, encase in concrete and drop to the bottom of the ocean. Not exactly useable, but...

      1. Ramiro
        Flame

        Not even then

        After the french found the black box of that downed flight, I wouldn't trust "hiding" anything at the bottom of the ocean.

        I'd drop it inside an iron smelter.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not even then

          Yeah, between the French and James Cameron, the bottom of the ocean is no longer safe. It's all Jacques Cousteau's fault.

        2. I. Aproveofitspendingonspecificprojects

          Re: Not even then

          You have been watching Transformers too?

          I never understood that bit.

          Maybe the parents of the little girl who thought one of them was a tooth fairy work at the Plentygone.

          While I am on the subject, why was the yellow car a beaten-up old banger at first?

  7. Irongut Silver badge
    Facepalm

    Because politicos know IT security better than pros

    To prove the flaw to them someone should change the passwords for Mensch and her pal Dozier. Perhaps a new password of "I love Tony Blair" would be suitable?

    Sooner or later this site is going to get pwned in a massive way. I'm stocking up on popcorn for when it does.

    1. Anonymous Coward
      Anonymous Coward

      Re: Because politicos know IT security better than pros

      You do know that the rozzers will be at you in an instant? They don't care about the hundreds who had their website accounts hacked, but if they are famous or have plenty of money, they will deal with it quickly.

  8. Mike Smith
    Pirate

    "Not true at all. Menshn is 100% secure."

    I can tell I'm getting old when I remember the number of people I've come across who would see that as a challenge.

    Doesn't say much about Mr Bozo's technical competence if he really believes that. Having read the earlier article with my jaw resting on the keyboard, I rather think he does.

    So... tweet that far and wide, open the popcorn and sit back.

    1. Jaques Croissant

      Re: "Not true at all. Menshn is 100% secure."

      No, you're getting old when you can't remember how many, you're probably still OK... :)

  9. Synja

    Anybody else remember...

    When Oracle made that same claim?

  10. Mike Smith
    Trollface

    And be'ave yourselves, you el Reg lot.

    The poor man is getting very concerned at your disparaging comments:

    !I'm getting increasingly annoyed at your calling Menschn a 'web jabber' service. We prefer 'micro forums' or 'chatspace'

    So there. Please don't rile the plonker too hard. He'll be on here next.

    As for me, I don't think it's jabber at all. Looks more like random line noise.

  11. Anonymous Coward
    Anonymous Coward

    "Not true at all. Menshn is 100% secure......

    ....There has never been a CSRF attack and I'm sure I know how to Google what that is,"

    Lolz....

  12. geekclick
    Thumb Down

    Just had a quick poke at the site...

    Wish i hadnt wasted the bandwidth!

    1. Elmer Phud
      Childcatcher

      Re: Just had a quick poke at the site...

      It worked!

      They will soon publish figures of a dramatic increase in traffic for this month (but not by day).

    2. Anonymous Coward
      Anonymous Coward

      Re: Just had a quick poke at the site...

      Yours our theirs?

  13. Anonymous Coward
    Pirate

    100% Secure...

    Don't you just love it when some Fool lays down a Challenge like that...

  14. LinkOfHyrule
    FAIL

    I've been waiting for this.

    "Not true at all" hahahaha, I'm going to need to start wearing Attends pads if you make me laugh any more than this!

    OMG el Reg, you are like so totally liars and stuff, cos the Menshster says you are cos they've got SSL and encryption and they know how to google stuff and everything!

  15. Some Beggar
    Facepalm

    "100% secure"

    "free of spam and troll"

    They've never even visited the internet, have they?

    1. Anonymous Coward
      Anonymous Coward

      Where's Anonymous when you need them...

      1. Anonymous Coward
        Anonymous Coward

        Is that like calling your grandmother to ask for an NSA employment application? (I love 30 year old jokes)

  16. SJRulez

    She's a former MP that should tell you everything you need to know which is far more than she does!

  17. Destroy All Monsters Silver badge
    Trollface

    "and I'm sure I know how to Google what that is"

    But doesn't that mean he doesn't know what that is and moreover is not 100% sure how to Google what that is?

    "We don't need to do anything, apart from just stop him entering the room."

    "Leaving the room!"

    "Leaving the room ... yes. "

    "Got it?"

    "Hic"

  18. Hungry Sean

    UK law and pen-testing?

    I thought the comment from Nick Shearer about testing CSRF being legally problematic in the UK was more interesting than the newsflash: "Politicians are willfully ignorant of technology." Does this extend to contracted pen-tests as part of a security audit? What about course work on an internal network, or developing security tools? Just a curious yank.

    1. Jess--

      Re: UK law and pen-testing?

      pen testing your clients network etc is fine since you have their consent to attempt to gain access, getting bored and pen testing their competitors however would not be ok.

      1. Anonymous Coward
        Anonymous Coward

        Re: UK law and pen-testing?

        If you are undergoing any pen tests for your client I would recommend that you get their lawyer \ legal teams permission in writing.

  19. Rufo
    FAIL

    lol at quoting fake-bozier

    the real bozier left twitter a couple of months ago and someone took his name, pretty obvious if you look at the things he tweets

  20. Anonymous Coward
    Anonymous Coward

    When a spook says "That country has no WMDs," a politician replies, "You're wrong, go and look again and don't come back till you've found something".

    When a doctor says "This country's drug laws bear no relation to the effects of said drugs," a politician replies, "You're wrong, my convictions tell me that all drugs are evil... apart from alcohol and tobacco of course".

    When a computer security expert says "Your website is riddled with holes and is in imminent risk of being pwned by a script kiddie," a politician replies, "You're wrong, I've Googled it".

    These people seem to have an immense reality distortion field going on. Perhaps we could harness it to create true cloaking devices? It would save us from having to style our latest top secret military tech after small Italian bistros.

  21. nuked
    Alien

    "100% secure - we use HTTPS"

    This HAS to be a trap. Surely.

    What she said is monumentally stupid...

    Worrying to think that this is someone who used to help run the country, and who sat on the select comittee that investigated the wide-spread laziness of celebs not changing default passwords (sorry, "phone hacking")

  22. Anonymous Coward
    Anonymous Coward

    Don't be mean

    Poor Louise, she is only trying to make a difference in this crazy mixed-up world. She cares.

    Show her that you care too- help verify the performance of her site with apachebench. Give the gift of certainty; the poor dear says that she suffers from anxiety.

  23. Anonymous Coward
    Anonymous Coward

    "Free of trolls"

    Oh, so she won't be using it then.

This topic is closed for new posts.

Other stories you might like