Disqus Bug Deanonymizes Commenters

alphatel writes "The Swedish company Resarchgruppen has discovered a flaw in the Disqus commenting system, enabling them to identify Disqus users by their e-mail addresses. The crack was done in cooperation with the Bonnier Group tabloid Expressen, in order to reveal politicians commenting on Swedish hate speech-sites."

Re:A simpler approach

Actually Expressen are not revealing the identifies of politicians who commented on expressen.se, they are revealing the identities of commenters on racist / xenophobic sites friatider.se and avpixlat.info. The articles and comments on these sites are mostly very harsh, distastefully racist, and written anonymously. They have identified very racist commenters as members of the controversial, Swedish far-right, and most would say racist, party Sverigedemokraterna. The SD-party works hard to portray a more polished image, with for example a "zero tolerance policy on racism", which equates to you might be kicked out if you say or do something too obviously racist. SD has it roots in the 90s far-right racist movement in Sweden (http://www.youtube.com/watch?v=LZWsZyShR_s), and one their mottos is "Sweden for the Swedish". The party is definitely mostly racist, but their official political stance is more xenophobic and social conservative, with a few immigrants joining their ranks complaining, for example, that it is the Somali or immigrants who are the "real problem".

Researchgruppen used a Disqus security flaw to find out which e-mail addresses were behind some of these racist commenters, and are now revealing that behind the nicknames were SD-politicians. So.. This is a big win for Expressen, since the Swedish mainstream media and most Swedes are sworn enemies to Sverigedemokraterna.

And on another note.. Congratulations to Flashback, the quite huge, Swedish, non-profit, ultra-liberal and quite lawless discussion forum, which has absolute free speech and therefore has become illegal to run from Sweden (it's now run from abroad). Flashback has through the years succeeded in keeping their users anonymity safe and freedom to speak total, no doubt without attempts form the Swedish state, police and media to the contrary - since flashback has become the main for hub for discussions about controversial subjects like drugs, racism and much more.

How it was done:

[140Mandak262Jamuna]

Disqus site had md5 hashes of users' email addresses. Some flaw in the site leaked the hashes and made them public. They probably thought nobody could reverse the hash. But they did not "salt" the email ids. So simple dictionary attack, of hashing millions of known email ids, produced matches. Now they can link email ids to disqus user ids.

Morals of the story:

don't leak hashes.

Salt the data before hashing

Don't trust any website to value your anonymity over their profits.