Disqus Bug Deanonymizes Commenters

alphatel writes "The Swedish company Resarchgruppen has discovered a flaw in the Disqus commenting system, enabling them to identify Disqus users by their e-mail addresses. The crack was done in cooperation with the Bonnier Group tabloid Expressen, in order to reveal politicians commenting on Swedish hate speech-sites."

Re:The methos is not uncalled for.

[Anonymous Coward]

Of course, the swedish definition of "hate speech" is any criticism of radical feminism or the failed principles of multiculturalism.

Re:I do.

[Anonymous Coward]

Nice sentiment, but here in the real world, people in general, which make up the vast majority of employers, are petty, vindictive assholes. As a general rule, you want to keep your personal life as separate from your professional life as humanly possible, especially in a job market where choice is a luxury few enjoy.

Re:I do.

[Vanderhoth]

I've had death threats and threats to burn down my house from commenters, not on /., before for simple things like saying abortion is a hot button topic. Not even picking a side, just pointing out people get riled up over it. I'd be willing to stand behind anything I post in a public forum, but I have a wife and child and don't want some overly conservative, overly liberal or someone with an extremist view on some other topic showing up at my house with a molotov cocktail while we're asleep or while I'm away on business. I have no delusions that I'm anonymous and know I *could* be tracked down, but I'm not going to just hand out that info. There are too many crazies out there.

I mean heck, CBC posted a story about a baby chair that lets someone stick an iPad in front of an infant and people are flying off the hinge about how that should be considered reckless endangerment and child services should be involved for anyone using that product. Are those really the kind of people you want showing up at your house because they think they know what's better for your child than you do?

I have a friend in animal control who had to deal with a case where a neighbour went into someone else's backyard and killed their puppy by gouging it's eyes out with his bare hands because he thought tethering it to a stake in the yard was cruel.

Re:A simpler approach

[Anonymous Coward]

Actually Expressen are not revealing the identifies of politicians who commented on expressen.se, they are revealing the identities of commenters on racist / xenophobic sites friatider.se and avpixlat.info. The articles and comments on these sites are mostly very harsh, distastefully racist, and written anonymously. They have identified very racist commenters as members of the controversial, Swedish far-right, and most would say racist, party Sverigedemokraterna. The SD-party works hard to portray a more polished image, with for example a "zero tolerance policy on racism", which equates to you might be kicked out if you say or do something too obviously racist. SD has it roots in the 90s far-right racist movement in Sweden (http://www.youtube.com/watch?v=LZWsZyShR_s), and one their mottos is "Sweden for the Swedish". The party is definitely mostly racist, but their official political stance is more xenophobic and social conservative, with a few immigrants joining their ranks complaining, for example, that it is the Somali or immigrants who are the "real problem".

Researchgruppen used a Disqus security flaw to find out which e-mail addresses were behind some of these racist commenters, and are now revealing that behind the nicknames were SD-politicians. So.. This is a big win for Expressen, since the Swedish mainstream media and most Swedes are sworn enemies to Sverigedemokraterna.

And on another note.. Congratulations to Flashback, the quite huge, Swedish, non-profit, ultra-liberal and quite lawless discussion forum, which has absolute free speech and therefore has become illegal to run from Sweden (it's now run from abroad). Flashback has through the years succeeded in keeping their users anonymity safe and freedom to speak total, no doubt without attempts form the Swedish state, police and media to the contrary - since flashback has become the main for hub for discussions about controversial subjects like drugs, racism and much more.

How it was done:

[140Mandak262Jamuna]

Disqus site had md5 hashes of users' email addresses. Some flaw in the site leaked the hashes and made them public. They probably thought nobody could reverse the hash. But they did not "salt" the email ids. So simple dictionary attack, of hashing millions of known email ids, produced matches. Now they can link email ids to disqus user ids.

Morals of the story:

don't leak hashes.

Salt the data before hashing

Don't trust any website to value your anonymity over their profits.

Re:Damn!

[Sqr(twg)]

But seriously, who uses a real email address to register anywhere?

In this case, members of the Swedish racist party "Sverigedemokraterna". They are trying to paint a picture of them selves as "not racist" and "merely anti-imigration", and the party leadership has adopted a policy of excluding anyone who makes racist statements openly. The "avpixlat" site was officially not associated with the party, but it was an open secret that this was where they vented their true opinions anonymously.

Now the hackers have a list hundreds of names linked to incredibly racist quotes that they will presumably publish one at a time in order to do maximum damage to the party before the elections next year.