
Swedes uncover Disqus user security breach - aburan28
http://www.thelocal.se/20131212/millions-of-disqus-comments-leaked-to-swedish-group
======
staticelf
Worth noting is that "Researchgruppen" or "The research group" is an extremist
left-wing group that exposes normal folks and have ties to people that
threaten and use violence against people with different opinion than theirs.
Also worth noting is that the Sweden Democrats is not at all far-right, it is
more like a conservative social party. More left than right for example. It is
also today one of the biggest parties in Sweden and will most likely grow to
be the biggest soon.

Researchgruppen are part of the politically correct elite in Sweden, supported
by basically mainstream media which is most likely the worst in the world when
it comes to being objective which this articles just proves.

For people interested, the major news paper bought this information from
"Researchgruppen" in order to seek, follow and harass everyday citizens and
put their faces on the front pages telling the country they are racists. Sure
maybe some were technically writing racists comments online, but the gestapo-
moves from the news organizations in Sweden is just one of the many
harassments you'll recieve if you have any critique what so ever against the
large immigration numbers. They have used several illegal actions (credit
checks for example) in order to find information on the people they were
harassing. The people who got their faces put at the front pages did not get
any chance to defend themselves or even tell their story.

This is also old news in Sweden.

~~~
tiedmann
As a fellow swede I just don't agree with anything you have to say. Outing
politicians who are ranting online is fair game as far as I'm concerned. The
Sweden Democrats attract racists and their roots are racist, there's just no
way to deny that - they mostly follow the same neo-fascist agenda of similar
parties throughout Europe.

~~~
staticelf
So you believe that people should be allowed to express their opinions being
anonymous? If yes, why should that not be the case for politicians?

~~~
thecopy
There is a public interest issue when politicians says one thing to the voters
and another behind closed doors.

~~~
staticelf
But that is the exact same thing as saying people should not be allowed to
speak up anonymously. Either you are anonymous or you are not.

~~~
thecopy
I'm not arguing against anonymity, i am arguing that there is a ethical
difference between releasing information about that there's a difference
between what a politician says publicly and what the politician really thinks,
and the same situation with a private citizen.

A politician wants to change the laws and circumstances for our lives, and
he/she gets a mandate to do that by convincing the voters that they have
aligned interests.

~~~
staticelf
Alright I understand and I agree.

In this case though it was mostly normal citizens who weren't politicians and
they used illegal methods in order to gain personal information about them.

~~~
thecopy
Agreed, and that is despicable.

------
perryh2
This is from 2013. Please mention this in the title.

------
_jomo
This is a bad article and what it claims is just wrong:

> the data they received also came with metadata that included the email
> addresses tied to anonymous Disqus accounts

What they received were Gravatar URLs which include the MD5 hash of the
senders email address. Obviously you can scrape the web and find more avatars
with a matching email address hash and start mapping them to the same author.
You can also try brute forcing the hash to find the original address, but all
that is not a Disqus security breach.

It's scraping public websites, maybe one could call it social engineering, but
after all it's a targeted attack and no flaw in Disqus.

There is of course something wrong with making email hashes public through
avatar URLs, but that's all Gravatar's fault.

Many people probably want to see Gravatar support on the websites they use,
and it's also very easy to implement by developers. It's pretty much a
monopoly and they're the only ones to fix it.

------
foxhop
I'm bootstrapping a Disqus "clone" that I plan to open source and offer hosted
versions as a SaaS company.

I'm still building the MVP but I have a demo running here:
[http://www.remarkbox.com](http://www.remarkbox.com)

I've taken special care to not hash user emails when generating avatars.

In addition by default:

* users are anonymous

* Gravatar is disabled

For default avatars I plan to fork
[https://github.com/Bekt/invatar](https://github.com/Bekt/invatar) (to add
image caching)

~~~
ShinyCyril
This looks nice – I've been using
[Isso]([https://posativ.org/isso/](https://posativ.org/isso/)) for the past
year or so.

~~~
foxhop
cool, never knew that existed.

------
eadz
Gravatar should stop their support for unsalted MD5 hashes. It's just too
insecure when most people don't understand the implications of sharing a MD5
hash of a user's email.

~~~
koolba
The only way something like Gravatar works is by having something that's
directly computable from the source email address (or whatever the identifying
field is). Whether it's a MD5, SHA256, or whatever is irrelevant.

Similarly having it be a salted (instead of the currently unsalted) hash
wouldn't help anything. The salt would need to be public for separate web
sites to reference the same avatar for the same email address.

Short of authenticated requests to Gravatar (which again kills the point of
how it all works), one alternative would be to make the computation function
more expensive, either by performing multiple rounds of the hash function or
switching to a "slow" hash function (ex: bcrypt or scrypt). The latter would
require a fixed salt and wouldn't really work for the use case as it'd slow
down any webpage that links to multiple gravatars to a crawl.

The real issue here is that the email address space is fairly predictable. If
you want HASH($EMAIL) to be unpredictable then instead of
first.last@example.com switch to ~ [a-z0-9]{16}\@example\\.com.

~~~
ikeboy
They need to provide avatar, given hash, i.e. implement a public
getavatar(emailhash) function.

They don't need to provide hash given account, i.e. getemailhash(comment).

If someone uses a unique avatar they can be identified by bruteforcing emails,
generating md5s, then querying gravatar, but I assume most users don't change
from the default. You also couldn't prove it, because you may have missed a
different email which has the same avatar.

------
dan1234
> He explained that Disqus offers API services that include "MD5 hashes" of
> email addresses that allow users to access third-party services such as
> Gravatar, which in turn permits users to display a consistent avatar across
> platforms.

Does this mean that other services using Gravatar are also leaking in this
way?

~~~
m_eiman
Yes.

Docs here:
[http://sv.gravatar.com/site/implement/hash/](http://sv.gravatar.com/site/implement/hash/)

------
gpvos
(2013)

------
cm2187
These idiots seem to suggest that leaking the MD5 of an email isn't leaking
the email itself.

I wonder if 3 years later they are still that incompetent.

Might be old news but I missed it in 2013, and I would have never used Disqus
since if I didn't.

~~~
bentlegen
From the article:

> Roy added that Disqus was disabling use of the Gravatar service and removing
> the MD5 hash email from its API.

