14 DAY TRIAL // Whenever a new online service is launched, especially if it’s a social media website, its founders try to promote it as well as they can, but it may not be the best idea to start telling people that it’s 100% “safe and secure.”
Luke Bozier, the one who founded Menshn along with British MP Louise Mensch, made that mistake a couple of days ago and he soon noticed that many security enthusiasts from all the corners of the Internet began tweeting about finding various security holes in the site.
Nick Shearer, a principal software engineer at Velti was among the first to identify a simple cross-site scripting (XSS) vulnerability on the site. He attempted to report it responsibly, but shortly after he notified Menshn, he discovered that others had already made public the details of the security hole.
In the meantime, all sorts of accusations were flying around about SQL Injections, weak password security and other things.
Bozier quickly moved to deny everything.
“Server has not crashed. No XSS attacks have succeeded. No SQL Inject attacks have succeeded. Menshn is a safe, clean & secure environment,” he said.
“So, I doubt this applies to any of my followers but: if you're using Menshn, don't. It's *full* of trivial web security holes,” James Coglan warned.
Coglan identified a way to steal passwords, CSRF flaws and a lot of other issues which he reported to Menshn.
“Reported security issues around menshn are unfounded. Your information (ie your password) is safe unless your own computer has been hacked,” Bozier responded to his claims.
Later, Bozier told CNET that there were some vulnerabilities, but they had been addressed and Coglan confirmed it on Twitter. However, the new Twitter-like website’s owner will also have to convince the Information Commissioner’s Office that Menshn really is a “safe, secure environment.”