Menshn.com: Security Problems Abound

Update: James Coglan on Twitter writes that these issues have been fixed. Credit is actually due to Menshn for moving quickly, and hopefully they’ll start taking the security of their users more seriously.

Menshn.com is a new site launched by British MP Louise Mensch. I am indifferent about the site itself: like all start-ups, I wish them well. It’s not something I’d personally use, but I can see the appeal. I don’t agree with Louise’s political views, but that doesn’t mean she doesn’t deserve success.

However, other people don’t necessarily agree with me: because of this, it’s really important that sites like menshn.com be secure from the outset. A high profile launch combined with a personality who some don’t get on with very well means that any obvious security vulnerabilities are likely to be exposed by those out to cause trouble.

It’s also really important that you don’t get too cocky: security issues happen to the best of us. Microsoft employs some of the world’s best engineers - think about all the problems they’ve had over the years! I think it’s safe to say that if you’re posting tweets like this you have to be really sure your website is rock solid:

Unfortunately, Luke is incorrect. While he was tweeting there were several major XSS vulnerabilities on menshn.com. Here’s an example:

This is a very simple XSS attack: it’s visible if you’re running Firefox or some versions of Safari or IE (Chrome contains some additional client-side protection that prevents exploits such as this). As a proof-of-concept, this is more than enough. It’s also a very basic and simple problem to resolve - the registration page’s email field is auto-populated. To do this, the required e-mail address is passed in through the URL. However, it isn’t sanitised, which means you can embed any content you want: images, text, and - of course - malicious JavaScript.

I decided the best thing to do was to responsibly disclose this vulnerability to menshn.com - responsible disclosure is where you allow a period of time for the issue to be fixed before publishing. I sent an e-mail to the contact address provided by menshn.com, and waited to hear back. I also tweeted Luke Bozier, the co-founder of menshn.com, to let him know I had got in touch.

However, this didn’t last very long (less than an hour, in fact). One of the problems with Luke’s tweets was that they invited people to find flaws. You should never claim your site is “safe, clean and secure” - because the chances are it isn’t. Sure enough, it turned out that somebody had already found the exact same vulnerability and tweeted about it:

Since the exploit is out in the wild there’s really no point me responsibly disclosing it - people have subsequently found even worse security holes that work across all browsers, including Chrome. In fact, it turns out other Twitter users had already tried to responsibly disclose, but to no avail - Jonathan Buchanan being one of them:

It’s clear that menshn.com has some serious security problems. I would strongly advise users to stay away until they can resolve these issues fully: it’s just too unsafe.

In particular, avoid clicking any menshn.com link from any outside source, such as Twitter - they could well be unsafe. Following on from Luke Bozier’s assurance that “no XSS attacks have happened” a number of users immediately found XSS vulnerabilities in a matter of minutes. There may well be more complex security problems lurking in the background, waiting to be found.

3 Notes/ Hide

  1. clever-you posted this