Menu
Disqus scrambles after leak fuels Swedish tabloid exposé

Disqus scrambles after leak fuels Swedish tabloid exposé

The company's API leaked information that allowed a tabloid to link offensive forum comments to email addresses

Disqus is updating its widely-used comments platform after a Swedish tabloid exposed politicians and other public figures for allegedly making highly offensive comments on right-wing websites.

The Swedish daily Expressen, working with an investigative journalism group, said it uncovered the identity of hundreds of people who left offensive comments at four right-wing websites through their email addresses. It then confronted the authors of the comments, many of whom freely admitted to writing them.

Later on Tuesday, Disqus said its network had not been breached and that it did not leak email addresses. The journalists appeared to have abused a feature it used for a third-party service, it said.

Based on information from Disqus and other observers, a general picture of the journalists' method has emerged.

Disqus used a third-party service called Gravatar from Automattic, the company behind the WordPress software. Users can upload an avatar, which will then appear on any Gravatar-enabled website.

A Disqus API (application programming interface) fetched avatars from Gravatar using the hashed email addresses of registered users. A hash is a cryptographic representation of a value processed by an algorithm.

For example, the email address "idg@idgnews.com" when processed by the MD5 algorithm appears as this hash: "0ff3eeab2b765f017a526bbddd328c3b."

The journalists likely collected the nicknames of commentators from the websites, then pinged Disqus' API to see what MD5 value was returned. They could have gained access to Disqus' API by creating an account, according to Eaxbreakparty, a blog run by a self-described cryptography enthusiast.

With that value in hand, a couple of scenarios are possible. If the journalists already had a database of personal email addresses, they could generate the MD5 hash for those addresses and then see which ones match the hashes returned by Disqus.

Also, it is possible, but difficult, to convert MD5 hashes back to their original value, which would give them email addresses with which to perform further research.

Disqus said in a statement that "to use our API or service for such purposes, is a breach of our privacy guidelines." The account believed to have been used for the research would be terminated, it said.

The company said it would also disable Gravatar and remove "the MD5 hash email addresses from the API. We will evaluate any further changes that will need to be made based on these actions."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags securityDisqus

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Show Comments