Yet another social network: Minds. The network is powered by “software that respects your freedom & privacy.” One of its privacy-friendly features is that it allows for end-to-end encrypted private messaging. However, there are some critical vulnerabilities in the social network’s website that need to be fixed before it can really be privacy-friendly.
The network is clearly taking aim at Facebook. Minds founder Bill Otmann told Business Insider that “Our stance is the users deserve the control of social media in every sense”. The Minds team has also opted for a transparent ranking algorithm, which sharply contrasts with Facebook’s timeline ‘black box’.
“For every mobile vote, comment, remind, swipe and upload you earn points which can be exchanged for views on posts of your choice. It’s a new web paradigm that gives everyone a voice” (Wired).
The network seems to have attracted the attention of activist group Anonymous. An Anonymous-affiliated page, ‘ART of Revolution’, put out a call to support the site: “Let us collaborate to help build minds.com and other open-source, encrypted networks to co-create a top site of the people, by the people and for the people”.
Interestingly, security company VoidSec put the website of the new social network to the test and found critical vulnerabilities. Some elements, such as the site’s search box, make it possible to inject malicious code into the page that can be used for phishing attacks. According to VoidSec’s report, public messages can easily be deleted. Furthermore, all file-types can be uploaded to the network, making it vulnerable to malware distribution. Although Minds is still in ‘alpha’, these and other issues mentioned in the report quickly need to be fixed before we can take Minds seriously as a privacy-friendly social network.
Update June 19, 2015, 9 AM
Apparently, security company VoidSec reported about the vulnerabilities without giving Minds a chance to actually fix the issues. The company’s Vulnerability Disclosure Policy describes a detailed workflow of how the company deals with vulnerabilities they find. An essential step in the workflow is contacting the developer about the vulnerabilities in order to allow him to fix the issues.
On Twitter, Minds claims that VoidSec has not informed Minds about the vulnerabilities:
@stefankulk They made no attempt to contact us before we saw the PUBLIC article yesterday. Who does that? We’re secure & ask hackers to help
— Minds (@minds) June 19, 2015
Two days ago, VoidSec did mention on a Bugs group page within Minds that there were issues. However, one wonders whether this is the appropriate way to contact Minds about security issues.
It seems that VoidSec has sought publicity a bit too quickly. After realizing that, I started a Twitter discussion with Voidsec about the discrepancy between their official disclosure policy and the way they dealt with the situation.
The story ends with some good news as Minds has fixed the issues, and both parties have expressed their will to cooperate in the future.
— VoidSec (@Void_Sec) June 19, 2015
— Minds (@minds) June 19, 2015