Social Network tsū is the network that pays you, the user, a cut of the ad revenue it generates from the content you share, like and create. Sounds like a great deal doesn’t it? Some have accused tsū of being nothing more than an MLM or pyramid scheme by building your network or following larger you could make more money. The arguments can be made for or against tsū’s methods so feel free to discuss that in comments if you like. For now tsū may have bigger issues at hand, such as security.
Yesterday a reddit user discovered, while signing up for tsū, that at no point does the site use any form of SSL to protect user data from being hacked. All URL’s are http: and none are https: even after logging into your account. This is a huge concern as now user data is likely being stored in plain text. You can read reddit user jancoast’s entire post below.
So you guys probably have heard something about Tsu.co by now, the social network that has recently received 7 million in funding, which pays it’s users a portion of the ad money it receives based on independent viewership much like the revenue sharing model you see with Youtube. Anyway you can find out all about it at http://tsu.co/faq, since their main site is horrible at explaining anything about the actual project.
Anyway here’s the fun part…
So I decided to try it out, feel free to register using the “invite link” below (it’s invite only right now), just don’t use a password you use for anything else… http://tsu.co/dragmecom
Take a look when you’re registering, notice how there’s no SSL? Haha you guessed it, all of their information throughout the entire site is completely unencrypted. That means all passwords, emails, user addresses, etc. are unencrypted and visible to anyone and everyone.
You don’t need to be a security expert to know this, it’s almost text book knowledge for anyone who has ever interfaced with the web on a technical level. Soooooo my fellow reddit friends, enjoy this new found information.
Maybe one of you might be so encouraged to post, “I love good security” via the founder’s account. I tried to email the staff about the concern but still haven’t received a response, maybe you all can “encourage” them to expedite patching this crucial security concern, and protect their users.
Happy cracking! 🙂
We’ve reached out to tsū for comment and in the meantime, it may be a good idea to change that password especially if you use it for other sites. What do you think of this security problem tsū may have? Let us know in the comments below or on Google+, Facebook and Twitter.
Update – After reading tsū’s terms of service it seems users are taking their security into their own hands. This is from their TOS.
You are solely responsible for maintaining the confidentiality of your account information, such as your username and password, and for restricting access to your computer and/or mobile devices. You accept full responsibility and liability for all activities that occur under your account or password.
This means you alone are responsible for your account security even though they store and use your information on unsecured servers. Remember, this is a for profit social network and your financial information is also bouncing around unencrypted which you will have to find a way to encrypt yourself. Still no reply from tsū.
Update – tsū Responds (27/10/2014 17:25 ET): tsū has responded for our request for comment from earlier this morning by stating:
“tsu follows standards set by other social networks for safeguarding the information of our users, and will be implementing HTTPS to the main website tonight, effectively encrypting all traffic going to the website. During this time window tsu has been performing extensive security testing, including penetration analysis, and there is no evidence of any user data being compromised. Additionally, from the beginning, all mobile traffic to tsu is on HTTPS.”
So the good news is that SSL will be implemented on the main website tonight, and was already present on mobile traffic to and from the website. tsū also indicated that their security testing has returned no evidence of user data being compromised, which is even better news, however the question still remains as to why SSL wasn’t implemented on the site in the first place.
Update – tsū Responds (28/10/2014 13:10 ET): After noticing that tsū hadn’t implemented SSL last night as stated in their previous statement. We reached out again this morning and received another statement from the company. We will continue to monitor their progress, but for now things are still not secure.
Thanks for following up. Pinged the team this morning and just heard back—looks like they ran into an obstacle last night and will be implementing it today. It’s their top priority!
I’ll be monitoring for it and will let you know when it’s live.
Update – tsū adds SSL encryption (28/10/2014 21:45 ET): Good news for all, we have checked the tsū website again this Tuesday evening and are happy to report they are now using SSL encryption.