"Passwords are encrypted: HTTPS." - Oh, well that's OK then; Dozy bint.
Chick-lit star snubs Menshn.com password flaw alert
A security researcher has warned of new vulnerabilities in Tory MP and former chick-lit queen Louise Mensch's three-month-old chatroom-cum-microblogging service. A "trivial" CSRF attack (cross-site request forgery) can change a Menshn.com user's password, according to developer Danny Moules. El Reg has seen proof-of-concept …
-
Wednesday 5th September 2012 12:29 GMT Neil Brown
"Passwords are encrypted: HTTPS"
Any kind security person care to help me understand this? I thought https was a transport layer security, protecting data in the course of transmission, rather than protecting the passwords on the server? Would the use of https protect against / prevent a CSRF attack?
-
-
Wednesday 5th September 2012 13:50 GMT Anonymous Coward
Re: "Passwords are encrypted: HTTPS"
As you say, HTTPS is a red herring here. If the article is correct, though, and you can use CSRF to change a user's password, then the password change mechanism is flawed anyway (with or without CSRF) - you should at least have to supply the current password when changing it (see CWE-620).
-
-
-
Wednesday 5th September 2012 12:33 GMT Anonymous Coward
Either
..this is the most subtle come-on ever to attract marks to a honeypot server, or someone is just facepalm-inducingly likely to get pwnt publically.
If the latter, doubtless, La Mensch will talk about how it's all a misogynist plot or something. I hope it's some anon 14-year old girl with a distaste for Z-list psuedo-celebrity Tory wastes of skin that finally does the deed.
-
Wednesday 5th September 2012 13:02 GMT Irongut
Because politicos know IT security better than pros
To prove the flaw to them someone should change the passwords for Mensch and her pal Dozier. Perhaps a new password of "I love Tony Blair" would be suitable?
Sooner or later this site is going to get pwned in a massive way. I'm stocking up on popcorn for when it does.
-
Wednesday 5th September 2012 13:07 GMT Mike Smith
"Not true at all. Menshn is 100% secure."
I can tell I'm getting old when I remember the number of people I've come across who would see that as a challenge.
Doesn't say much about Mr Bozo's technical competence if he really believes that. Having read the earlier article with my jaw resting on the keyboard, I rather think he does.
So... tweet that far and wide, open the popcorn and sit back.
-
Wednesday 5th September 2012 13:19 GMT Mike Smith
And be'ave yourselves, you el Reg lot.
The poor man is getting very concerned at your disparaging comments:
!I'm getting increasingly annoyed at your calling Menschn a 'web jabber' service. We prefer 'micro forums' or 'chatspace'
So there. Please don't rile the plonker too hard. He'll be on here next.
As for me, I don't think it's jabber at all. Looks more like random line noise.
-
Wednesday 5th September 2012 13:42 GMT LinkOfHyrule
I've been waiting for this.
"Not true at all" hahahaha, I'm going to need to start wearing Attends pads if you make me laugh any more than this!
OMG el Reg, you are like so totally liars and stuff, cos the Menshster says you are cos they've got SSL and encryption and they know how to google stuff and everything!
-
Wednesday 5th September 2012 14:20 GMT Destroy All Monsters
"and I'm sure I know how to Google what that is"
But doesn't that mean he doesn't know what that is and moreover is not 100% sure how to Google what that is?
"We don't need to do anything, apart from just stop him entering the room."
"Leaving the room!"
"Leaving the room ... yes. "
"Got it?"
"Hic"
-
Wednesday 5th September 2012 15:03 GMT Hungry Sean
UK law and pen-testing?
I thought the comment from Nick Shearer about testing CSRF being legally problematic in the UK was more interesting than the newsflash: "Politicians are willfully ignorant of technology." Does this extend to contracted pen-tests as part of a security audit? What about course work on an internal network, or developing security tools? Just a curious yank.
-
Wednesday 5th September 2012 21:39 GMT Anonymous Coward
When a spook says "That country has no WMDs," a politician replies, "You're wrong, go and look again and don't come back till you've found something".
When a doctor says "This country's drug laws bear no relation to the effects of said drugs," a politician replies, "You're wrong, my convictions tell me that all drugs are evil... apart from alcohol and tobacco of course".
When a computer security expert says "Your website is riddled with holes and is in imminent risk of being pwned by a script kiddie," a politician replies, "You're wrong, I've Googled it".
These people seem to have an immense reality distortion field going on. Perhaps we could harness it to create true cloaking devices? It would save us from having to style our latest top secret military tech after small Italian bistros.
-
Wednesday 5th September 2012 22:05 GMT nuked
"100% secure - we use HTTPS"
This HAS to be a trap. Surely.
What she said is monumentally stupid...
Worrying to think that this is someone who used to help run the country, and who sat on the select comittee that investigated the wide-spread laziness of celebs not changing default passwords (sorry, "phone hacking")