Menshn opens up to UK users and runs into security storm

[Guest Evilblade]

Louise Mensch's Menshn social network opened in the UK on Sunday – and quickly ran into arguments about how secure it was, and questions about whether its use of cookies is compliant with European law.

Created by Mensch and the UK internet entrepreneur Luke Bozier, the social network was intended to address Mensch's complaint about Twitter – principally, that there's no control of what topics are discussed.

British users joining on Sunday were instructed to pick from a selection of five topics: Euro 2012, the US election, UK politics, "tech" and "women".

Early indications were that the network seems to have attracted around a thousand British users. But the discussion quickly turned to "tech" – and specifically the apparent lack of security in the site. One Twitter user, James Coglan, was quick to investigate it – and reckoned that it was seriously lacking in security.

Coglan and another Twitter user, Syd Lawrence, said that they had found ways to enable phishing of user accounts in early versions – with Coglan claiming that it was possible to grab users' passwords via login pages.

Bozier denied it, insisting on his Twitter feed that the site has "rock-solid security" and encouraged people to "keep menshning, folks". On Sunday evening he said that there had been "more than 5,000 menshns" – the equivalent of tweets – and more than 50,000 unique visitors, adding "Thanks Britain".

Mensch and Bozier launched the social network less than a week ago, aiming to win Twitter addicts "who find Twitter frustrating". The Tory MP said she thought that it could in time have "fairly large commercial applications".

Bozier told the Guardian at the launch that "Twitter is just too random. We want to encourage people to have conversations rather than broadcast their thoughts." At the time they suggested that the site would not be open to British users until later in the summer.

But at a minute past midnight on Sunday it was opened up to UK users. Mensch's high visibility, as well as her role on the Commons Media select committee into phone hacking, meant that some of the first UK users were less interested in using the site to talk, than to see how robust it was.

Some users who tried it discovered that the PHP used to set the site up had obvious ways in which it could be exploited, though not harmfully, as in this example (which on Sunday evening displayed the message "Don't watch this watch Scrapper Duncan's Blog instead – it's much more interesting"; it has now been fixed).

Lawrence insisted that claims on Sunday by Mensch and Bozier that the "password stuff was guff" and that reportrs about security issues were "unfounded" were, at the time they were made, incorrect because, he said, passwords were being sent unencrypted over the net – which goes against standard web security design.

Other users raised questions about the site's use of cookies, as there was no obvious warning - as is required under European law – about the implementation of cookies for users of the site. Bozier had no response.

In an email to the Guardian, Bozier indicated his complete confidence in the security of the site, saying that he challenged anyone who thought that they could grab his password to use his email and attempt to log in as him.

But the Guardian understands that Bozier did work with at least one of his Twitter critics to close down potential security holes that could have exposed users to hacking attempts, and that he is working on implementing greater security for logins and connections to the fledgling site.

Bozier later told the Guardian: "A number of supporters from the web development community yesterday [sunday] highlighted issues relating to the security of menshn. It was suggested that menshn users could have their passwords stolen, were unable to delete their accounts, or that malicious users could close their accounts completely.

"We have taken all feedback into account, including from the technology community, and have checked and double-checked security on menshn." The site now uses secure http connections, and data sent to the system is checked or malicious code so that XSS – cross-site scripting – attacks, usually using Javascript, are blocked.

Users can also now permanently close their account, and delete "menshns" from the site as well as other data, he said: "Menshn is a clean and safe online environment where people can talk about the topics that interest them, free of spam, trolls and unsafe code."