Disqus Bug Deanonymizes Commenters

alphatel writes "The Swedish company Resarchgruppen has discovered a flaw in the Disqus commenting system, enabling them to identify Disqus users by their e-mail addresses. The crack was done in cooperation with the Bonnier Group tabloid Expressen, in order to reveal politicians commenting on Swedish hate speech-sites."

Disqus is evil

[johnsie]

One company being able to build up a collection your comments and opinions across multiple websites.... Thank goodness I only comment on Slahsdot

Re:Damn!

[TWX]

Bear in mind, most of the people the world haven't structured their lives to understanding technology. They may like technology, they may be technology groupies, but they probably haven't really contemplated the ramifications of technology or how it can be used differently than their preconceived notions. They probably don't necessarily get that databases can be cross-referenced so easily or that unless they're willing to go through a specific amount of work each and every time they want to obfuscate their identities, it's likely that someone can figure out who they are.

Another thing to remember, it's never really been possible to be truly anonymous when saying something in text. In the days when the printing press was the preferred way, one still had to have trusted people to help print and distribute the words. In early electronic days when dialup was king, there were always phone records and one had to have accounts on bulletin boards, and systems like fidonet kept origination records. In the days of Usenet, messages could at least be tracked back to a newsserver of origin, and assuming that records were kept, the ISP information could be found and then the subscriber account could be identified.

Nowadays, unless the person wants to take the special laptop that's only used for this purpose, with a special add-on wifi adapter, go park next to a public wifi hotspot and use that public connection, being sure to store the equipment far enough away from themselves when not using it for plausible deniability, there's really isn't true anonymity. If one wants to truly remain anonymous, one generally has to not say anything. That's the tradeoff, true anonymity comes at the price of nonparticipation.

Re:I do.

You're not the one who gets to decide what is unacceptable; prospective employers do. If employers see something that is, to you, completely innocuous or just a tad embarrassing, and they find it offensive or unacceptable, it's not really going to matter how minor you believe it is. Using your real name is just stupid.

Re:A simpler approach

Actually Expressen are not revealing the identifies of politicians who commented on expressen.se, they are revealing the identities of commenters on racist / xenophobic sites friatider.se and avpixlat.info. The articles and comments on these sites are mostly very harsh, distastefully racist, and written anonymously. They have identified very racist commenters as members of the controversial, Swedish far-right, and most would say racist, party Sverigedemokraterna. The SD-party works hard to portray a more polished image, with for example a "zero tolerance policy on racism", which equates to you might be kicked out if you say or do something too obviously racist. SD has it roots in the 90s far-right racist movement in Sweden (http://www.youtube.com/watch?v=LZWsZyShR_s), and one their mottos is "Sweden for the Swedish". The party is definitely mostly racist, but their official political stance is more xenophobic and social conservative, with a few immigrants joining their ranks complaining, for example, that it is the Somali or immigrants who are the "real problem".

Researchgruppen used a Disqus security flaw to find out which e-mail addresses were behind some of these racist commenters, and are now revealing that behind the nicknames were SD-politicians. So.. This is a big win for Expressen, since the Swedish mainstream media and most Swedes are sworn enemies to Sverigedemokraterna.

And on another note.. Congratulations to Flashback, the quite huge, Swedish, non-profit, ultra-liberal and quite lawless discussion forum, which has absolute free speech and therefore has become illegal to run from Sweden (it's now run from abroad). Flashback has through the years succeeded in keeping their users anonymity safe and freedom to speak total, no doubt without attempts form the Swedish state, police and media to the contrary - since flashback has become the main for hub for discussions about controversial subjects like drugs, racism and much more.

How it was done:

[140Mandak262Jamuna]

Disqus site had md5 hashes of users' email addresses. Some flaw in the site leaked the hashes and made them public. They probably thought nobody could reverse the hash. But they did not "salt" the email ids. So simple dictionary attack, of hashing millions of known email ids, produced matches. Now they can link email ids to disqus user ids.

Morals of the story:

don't leak hashes.

Salt the data before hashing

Don't trust any website to value your anonymity over their profits.