back to article Chick-lit star snubs Menshn.com password flaw alert

A security researcher has warned of new vulnerabilities in Tory MP and former chick-lit queen Louise Mensch's three-month-old chatroom-cum-microblogging service. A "trivial" CSRF attack (‪cross-site request forgery‬) can change a Menshn.com user's password, according to developer Danny Moules. El Reg has seen proof-of-concept …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

"Passwords are encrypted: HTTPS." - Oh, well that's OK then; Dozy bint.

26
2
Gold badge
IT Angle

Just out of interest.

Does anyone use it, apart from its founders, the mates they've strongarmed into going there and security pros trying to punch holes in it?

8
0
Anonymous Coward

Re: Just out of interest.

On a quick investigation, no. In fact, I'd say there are more security experts probing it than it has active users.

4
0

Re: Just out of interest.

Must admit I was a bit surprised to hear it was still going today! I had a quick look when it opened and it was just a couple of Americans sitting around going "hello? anybody here?"

2
0

Re: Just out of interest.

When did this conversation turn to Google Plus?

0
0

"Passwords are encrypted: HTTPS"

Any kind security person care to help me understand this? I thought https was a transport layer security, protecting data in the course of transmission, rather than protecting the passwords on the server? Would the use of https protect against / prevent a CSRF attack?

3
0

Re: "Passwords are encrypted: HTTPS"

Would the use of https protect against / prevent a CSRF attack?

*****

Short Anwser... No

Long Anwser... No, but would stop packet sniffers from seeing what the attacker was doing :)

9
0

Re: "Passwords are encrypted: HTTPS"

Yeah, it's garbage. It's like your bank claiming their deposit boxes are safe, because they use an armoured car for their deliveries.

8
0
Anonymous Coward

Re: "Passwords are encrypted: HTTPS"

As you say, HTTPS is a red herring here. If the article is correct, though, and you can use CSRF to change a user's password, then the password change mechanism is flawed anyway (with or without CSRF) - you should at least have to supply the current password when changing it (see CWE-620).

2
0
Anonymous Coward

Either

..this is the most subtle come-on ever to attract marks to a honeypot server, or someone is just facepalm-inducingly likely to get pwnt publically.

If the latter, doubtless, La Mensch will talk about how it's all a misogynist plot or something. I hope it's some anon 14-year old girl with a distaste for Z-list psuedo-celebrity Tory wastes of skin that finally does the deed.

6
3
Silver badge

"... Menshn promises to offer an environment free of spam and trolls. "

A politician's promises, .... very reliable I'm sure.

6
1
Facepalm

"Not true at all. Menshn is 100% secure"

Politicians and their ilk, they must even believe their own stupidity! Why am I not flabbergasted?

1
0
Silver badge
Go

Indeed, 100% secure is basically encrypt the laptop, remove the battery, encase in concrete and drop to the bottom of the ocean. Not exactly useable, but...

1
0
Flame

Not even then

After the french found the black box of that downed flight, I wouldn't trust "hiding" anything at the bottom of the ocean.

I'd drop it inside an iron smelter.

2
0
Silver badge

Re: Not even then

Yeah, between the French and James Cameron, the bottom of the ocean is no longer safe. It's all Jacques Cousteau's fault.

0
0
Bronze badge

Re: Not even then

You have been watching Transformers too?

I never understood that bit.

Maybe the parents of the little girl who thought one of them was a tooth fairy work at the Plentygone.

While I am on the subject, why was the yellow car a beaten-up old banger at first?

0
1
Silver badge
Facepalm

Because politicos know IT security better than pros

To prove the flaw to them someone should change the passwords for Mensch and her pal Dozier. Perhaps a new password of "I love Tony Blair" would be suitable?

Sooner or later this site is going to get pwned in a massive way. I'm stocking up on popcorn for when it does.

6
0
Anonymous Coward

Re: Because politicos know IT security better than pros

You do know that the rozzers will be at you in an instant? They don't care about the hundreds who had their website accounts hacked, but if they are famous or have plenty of money, they will deal with it quickly.

1
0
Bronze badge
Pirate

"Not true at all. Menshn is 100% secure."

I can tell I'm getting old when I remember the number of people I've come across who would see that as a challenge.

Doesn't say much about Mr Bozo's technical competence if he really believes that. Having read the earlier article with my jaw resting on the keyboard, I rather think he does.

So... tweet that far and wide, open the popcorn and sit back.

3
0

Re: "Not true at all. Menshn is 100% secure."

No, you're getting old when you can't remember how many, you're probably still OK... :)

4
0

Anybody else remember...

When Oracle made that same claim?

1
0
Bronze badge
Trollface

And be'ave yourselves, you el Reg lot.

The poor man is getting very concerned at your disparaging comments:

!I'm getting increasingly annoyed at your calling Menschn a 'web jabber' service. We prefer 'micro forums' or 'chatspace'

So there. Please don't rile the plonker too hard. He'll be on here next.

As for me, I don't think it's jabber at all. Looks more like random line noise.

2
0
Anonymous Coward

"Not true at all. Menshn is 100% secure......

....There has never been a CSRF attack and I'm sure I know how to Google what that is,"

Lolz....

0
0
Thumb Down

Just had a quick poke at the site...

Wish i hadnt wasted the bandwidth!

0
0
Silver badge
Childcatcher

Re: Just had a quick poke at the site...

It worked!

They will soon publish figures of a dramatic increase in traffic for this month (but not by day).

0
0
Silver badge

Re: Just had a quick poke at the site...

Yours our theirs?

0
0
Pirate

100% Secure...

Don't you just love it when some Fool lays down a Challenge like that...

3
0
FAIL

I've been waiting for this.

"Not true at all" hahahaha, I'm going to need to start wearing Attends pads if you make me laugh any more than this!

OMG el Reg, you are like so totally liars and stuff, cos the Menshster says you are cos they've got SSL and encryption and they know how to google stuff and everything!

2
0
Facepalm

"100% secure"

"free of spam and troll"

They've never even visited the internet, have they?

4
0

Where's Anonymous when you need them...

1
0
Silver badge

Is that like calling your grandmother to ask for an NSA employment application? (I love 30 year old jokes)

0
0

She's a former MP that should tell you everything you need to know which is far more than she does!

1
0
Silver badge
Trollface

"and I'm sure I know how to Google what that is"

But doesn't that mean he doesn't know what that is and moreover is not 100% sure how to Google what that is?

"We don't need to do anything, apart from just stop him entering the room."

"Leaving the room!"

"Leaving the room ... yes. "

"Got it?"

"Hic"

0
0

UK law and pen-testing?

I thought the comment from Nick Shearer about testing CSRF being legally problematic in the UK was more interesting than the newsflash: "Politicians are willfully ignorant of technology." Does this extend to contracted pen-tests as part of a security audit? What about course work on an internal network, or developing security tools? Just a curious yank.

0
0

Re: UK law and pen-testing?

pen testing your clients network etc is fine since you have their consent to attempt to gain access, getting bored and pen testing their competitors however would not be ok.

0
0
Anonymous Coward

Re: UK law and pen-testing?

If you are undergoing any pen tests for your client I would recommend that you get their lawyer \ legal teams permission in writing.

0
0
FAIL

lol at quoting fake-bozier

the real bozier left twitter a couple of months ago and someone took his name, pretty obvious if you look at the things he tweets

0
0
Anonymous Coward

When a spook says "That country has no WMDs," a politician replies, "You're wrong, go and look again and don't come back till you've found something".

When a doctor says "This country's drug laws bear no relation to the effects of said drugs," a politician replies, "You're wrong, my convictions tell me that all drugs are evil... apart from alcohol and tobacco of course".

When a computer security expert says "Your website is riddled with holes and is in imminent risk of being pwned by a script kiddie," a politician replies, "You're wrong, I've Googled it".

These people seem to have an immense reality distortion field going on. Perhaps we could harness it to create true cloaking devices? It would save us from having to style our latest top secret military tech after small Italian bistros.

1
0
Alien

"100% secure - we use HTTPS"

This HAS to be a trap. Surely.

What she said is monumentally stupid...

Worrying to think that this is someone who used to help run the country, and who sat on the select comittee that investigated the wide-spread laziness of celebs not changing default passwords (sorry, "phone hacking")

0
0
Anonymous Coward

Don't be mean

Poor Louise, she is only trying to make a difference in this crazy mixed-up world. She cares.

Show her that you care too- help verify the performance of her site with apachebench. Give the gift of certainty; the poor dear says that she suffers from anxiety.

0
0
Anonymous Coward

"Free of trolls"

Oh, so she won't be using it then.

0
0
This topic is closed for new posts.

Forums