Don't Menshn the Crippling Security Holes in This Tory MP's Twitter Rival

By Tom Davenport on at

As if we needed another social network, Menshn is here to bring topic-orientated chat in Twitter-sized chunks. But what about all these leaky security holes that hackers found upon its UK launch?

You've got to hand it to programmers. They grind code out all day at work, then happily carry on into the wee hours, building their own projects or learning from one another. It's one of the best web communities, and for the most part, they're a well-mannered altruistic bunch.

One great example of their efforts to improve the wider web played out on Twitter last night, but also portrayed Menshn as a proper rush job. It's not a good look.

It started when Menshn arrived in the UK ahead of the England match against Italy last night. It's a new social network launched by Conservative MPs Louise Mensch, who often becomes a liberal target while defending her government, and Luke Bozier who defected from Labour this year.

While football fans were bemoaning the poor performance of their national squad, a legion of hacking fanatics tried prying Menshn apart to check its stability.

It wasn't long before tweeters found that less savoury hackers could intercept email and password combinations. One of them was James Coglan, a programmer from London:

Obviously that sucks like a hoover, so the tweeters made contact with the Menshn team to patch it up. Their response?

The problem is, the password claims weren't guff. The tweeting programmers started trading observations and hacks, and appear to have proven there were serious security issues. It wasn't clear if their reaction was ignorance, arrogance, or plain ol' burying their head in the sand.

Password weaknesses weren't the only crack. Syd Lawrence, music dev extraordinaire, gamed his way into the top user charts, and even hacked his messages onto the front page with enough upvotes:

Syd says it took only three lines of code to hack his way to the top of the user chart, and the devs tried their best to make contact with the team, but there was no acknowledgement:

Bozier insisted everything was fine, and chipped off to bed. Or so he said.

You'd think that a developer would stay up all night to check it was fine. And then, by morning, wonder of wonders, it was fine!

Which is great, of course. Luke Bozier sent Gizmodo UK the following posh statement to update Menshn users on their security:

"A number of supporters from the web development community yesterday highlighted issues relating to the security of menshn. It was suggested that menshn users could have their passwords stolen, were unable to delete their accounts, or that malicious users could close their accounts completely.

"We have taken all feedback into account, including from the technology community, and have checked and double-checked security on menshn.

"We would like to ensure menshn users that all data sent from your web browser to our server is encrypted – much in the same way an online bank would – and that passwords are scrambled before they are stored in our database."

That's great, but Syd Lawrence has since sent us proof of another XSS exploit, which basically means a nasty hacker-type could insert their own fake login field or make you download a virus. Not ideal, is it? Syd says the whole thing reeks of being a one-man hack job. There's no privacy policy, no mention of cookies, which is pretty important after new digital laws came into play last week, and no-one from Menshn is admitting it all went a bit wrong.

Now Gizmodo has been sent this exclusive little update from the Information Commissioner's Office, which takes care of public interests in the digital domain and keeps all sorts of official websites in check. It basically says its office will investigate the site to see if it's been behaving properly:

“We will be making enquiries into the circumstances of this alleged breach of the Data Protection Act [on Menshn] before deciding what action, if any, needs to be taken."

“We will also be enquiring as to how the website is gaining the consent of individuals before placing a cookie on their device, now a legal requirement under the Privacy and Electronic Communications Regulations (PECR).”

Well fancy that. At least Menshn is secure… or is it? Just as we were going to press, Syd Lawrence linked us to yet another hack which leaves the site insecure. Oh dear.

Finally, it looks like Luke Bozier is becoming a target after initially shunning help from the Twitter crowd. Someone has bought and pulled some cheeky digital graffiti:

But what about Menshn? Should the service be lost in all this debate about security? Let's take a look at the front page to see what the top message is on the network:

Oh. Politics, eh?