
Disqus cracked – Security flaw reveals users’ e-mail addresses - SuperChihuahua
http://cornucopia-en.cornubot.se/2013/12/flash-disqus-cracked-security-flaw.html
======
draugadrotten
If a political organisation was revealing the identities behind anonymous
speech on a jewish forum, the world would be up in arms. If the identities on
a gay board was published, Obama himself would be apologising. Now the
identities of thousands of people commenting on politics in Sweden was
revealed, and it's OK because "they" are the bad guys, says the extreme left
organisation Researchgruppen.

The slippery slope is

~~~
knowtheory
Being born into a jewish family isn't a choice. Being gay isn't a choice.

Being politically affiliated with hate speech IS a choice.

That is some straight up false equivalency bullshit.

~~~
robomartin
The British probably thought those behind the movement that ultimately
resulted in the United States were engaging in hate speech. Be careful not to
use a tinted lens to evaluate the world. We all do it. I am not critical of
your statement. I am merely pointing out that dissenting points of view
throughout history have often met with push-back. Very often, years later,
those responsible for the "hate speech" were recognized as being at the root
of positive world-changing developments. Imagine the people who dared to
engage in "hate speech" against the flat earth and geocentric dogma, voting
rights, slavery, etc.

I am disagreeing with you on one point. Being Jewish is a choice, just like
being Christian is a choice. I was born into a family, like most, with
generations of religious belief. I, however, am an atheist. You don't have to
be a Jew. You can have jewish culture in your life, respect it and enjoy it.
That does not mean you have no choice but to also be religious. That part is a
choice. Just as it is for anyone from any other religion.

~~~
pyre
> Being Jewish is a choice

Do you think that proponents of Neo-Nazism (etc) really care about the
distinction between "born into a Jewish family" and "is a member of the Jewish
religion?" I'm not saying that there isn't a distinction, but people engaged
in hate usually aren't too interested in nuance.

~~~
robomartin
Probably not. But that's not what I was arguing. Right?

For every example we care to provide there's probably a deviant group more
than willing to discriminate against that population and even want to kill
them. I think the history of genocides more than proves that point.

Please don't be offended. Jews don't really have a monopoly on being hated or
being murdered en-masse. Many argue --quite convincingly-- that the Jewish
genocide was modeled after the Armenian genocide of 1914/15 (the Nazi's copied
some of the methods the Turks used on their Armenian population).

In the US, at least, in non-deviant circles, I believe you can be a person and
not someone "born into an <X> family". In that context whatever you push in
front of people as what defines you is up to you. Believe it or not, as an
atheist I have a number of good friends who are Born Again Christians. Every
single one of them is a great person. Each one of them chooses to define
themselves by their religion differently. One in particular will smash you in
the face with it every chance he gets. Not surprisingly he has suffered
greatly with employment because, well, this isn't something you wear on your
forehead and pester people with at work. The other guys are just guys who
happen to privately be BAC's. He is a militant BAC. Choice.

------
__pThrow
In all our worry about NSA taps, the simple fact is that gravatar and now
disqus allows anyone NSA, your health insurance company, groups who dislike
your group, etc., to track your blog comments, help desk comments, any comment
you make around the net.

Your comments to gay rights groups, anti-gay rights groups, cancer support
groups, aids support groups, abortion groups, democratic politics, tea party
groups, gun rights groups, doctors offices, anyone using wordpress as a front
end group.

Anyone can do this with a simple search engine they create, and apparently we
don't care because gravatar was setup by a silicon valley favorite and is now
owned by Wordpress who was informed of this years ago and refused to consider
it a privacy leak. And anyway we like them cutsie cartoon avatars.

Anyone can do this with a search engine that maps pages to md5 hashes and vice
versa and either a rainbow table of email addresses, or even easier, a list of
your customer's email addresses, because let's see if any of our customers
have health problems they didn't disclose.

~~~
lmm
Any comments you make under your email address are attributable to that email
address. Duh. The _whole point_ of gravatar and disqus is to make it clear
that your comments on a bunch of different sites are from the same person.

If you don't want a particular comment associated with your name or email, why
would you ever fill in that name or email when commenting?

~~~
__pThrow
If I go to comment at a wordpress site it says this:

"Email (required) (Address never made public)"

MD5 leaks of my email address into web pages is in fact making my address
public.

Hey lmm, duh, when you make a comment under a different name but with the same
email address that you think is anonymous at your local hiv testing site, you
may not expect that your insurance company can track that down because
wordpress has been leaking your md5 address all over the place.

~~~
driverdan
No it doesn't. You need to know the email address up front in order to
generate the hash.

~~~
lambda
But the point is that you can easily brute force that, especially if you have
a list of people that you suspect may be making such comments and their email
addresses.

Saying that your email is kept private by taking its MD5 sum is like expecting
than an unsalted MD5 sum for a password hash in a publicly accessible password
database will be secure for people with weak, brute-forcible passwords like
"1234". You are providing a little bit of obfuscation, but no real security.

------
nallerooth
The fact that md5 hashes of email addresses can be brute forced is nothing
new. This has been pointed out for years, concerning services like gravatar.
The only thing which is important, is that Expressen/Researchgruppen believes
that they have the right to exploit Disqus' service in order to "make the
news".

~~~
Sae5waip
Why don't/shouldn't they?!

Theres a security problem with Disqus.

Apparently it (genereal technique) is "old news"

Apparently Disqus doesn't care enough to fix it.

Demonstrating the attack may be the only way to get them to care.

------
downer90
Anything requiring third-party cookies, _AND_ requesting an e-mail address not
only stinks of spam-oriented advertising revenue, but also total disregard for
user security. Even more telling were the options to sign in with services
like Facebook Oauth.

So from the beginning, I think it was always obvious that Disqus had no
interest beyond the bare minimum in casually protecting user privacy. This
prompted me to avoid ever providing Disqus with any kind of serious e-mail
address. Looks like my instincts served me well.

~~~
eli
You think Disqus is selling your email address to spammers?

------
f055
I don't get it, if your email address is so private then why you share it with
3rd parties? Also, why would your email address be so private if the spam
filters are so efficient nowadays, what's the harm in having a public email
address? Please enlighten me.

~~~
darkarmani
> I don't get it, if your email address is so private then why you share it
> with 3rd parties?

How would you use it otherwise? My backyard is private, but I share it with a
few 3rd parties. That doesn't mean i intent to share my backyard with the
entire world.

There is an element of trust with particular 3rd parties that is being
violated. Why is that so hard to understand?

~~~
tedunangst
The address of your backyard is not private.

~~~
smackfu
Analogies are terrible. "Imagine X is like Y. Ok, but what about aspect Z of
Y? Oh, that doesn't apply to X."

------
eXpl0it3r
The article is a bit miss leading. The so called security flaw does not reveal
the e-mail address directly, but a MD5 hash of it. Sure it _can_ be cracked,
but it doesn't mean that it _will_ get cracked.

~~~
Sae5waip
Actually, yeah, it will be cracked, by _someone_.

And E-Mail-addresses aren't passwords; trying a few hundred variations for
each firstname for each lastname is perfectly feasible and should crack a nice
percentage of these hashes.

~~~
hrrsn
My email is firstname@companyname.co.nz (I have a few of these at different
companies). I'm fairly confident this isn't going to be cracked any time soon
by random MD5 hashing.

(of course, my real name can be extrapolated from my HN username)

~~~
Jakob
The rainbow table would just need to include alphanumeric letters + '@' for up
to 30 letters. I think your emails are in nearly every rainbow table in
existence.

~~~
aparadja
Just the 1-10 character lowercase alphanumeric rainbow table from
freerainbowtables.com is 297 GB. Of course, you can generate rainbow tables
with various parameters and tradeoffs so it's not trivial to compare them.

Still, I don't think I've ever had a rainbow table that contained plaintexts
longer than 12 characters. Are 30+ length tables common these days?

~~~
Jakob
EDIT: “nearly any _email_ rainbow table”, i.e. 1-10 characters cross joined
with all domains for a given tld.

You’re correct that brute force with an entropy of 3 per bit would still be
too big for rainbow table usage (like 10^15 PB too big).

------
cubehouse
MD5 hashes of emails is very common practice for Gravatar etc. - although it's
fairly sucky, I'm assuming this is in the API specifically for things like
showing Gravatar images.

I reported a username -> plaintext email vuln to Disqus earlier this year and
they were very prompt in patching it, I wouldn't criticize them for this at
all as this a very common issue across most blog comment systems.

Would be nice to change how Gravatar works, but it's fairly fundamental. I
think if you want your email to be private you should probably be registering
temporary ones or using the + aliases like gmail offers to avoid these kinds
of hash-cracking attacks.

~~~
amckenna
Another solution would be for these services to use something with a greater
work factor than MD5. When a typical user can brute force MD5s at a rate of
8.5 billion per second with AMD HD7970 graphics card then it's time to use a
different hashing algorithm. Something like scrypt or bcrypt with a larger
work factor would make these attacks much harder and more expensive, while
leaving the fundamentals of the system the same.

[http://hashcat.net/oclhashcat/](http://hashcat.net/oclhashcat/)
[https://www.tarsnap.com/scrypt.html](https://www.tarsnap.com/scrypt.html)
[https://en.wikipedia.org/wiki/Bcrypt](https://en.wikipedia.org/wiki/Bcrypt)

------
sneak
Y'all seem to be forgetting that this isn't random ascii string bruteforcing:
you start with a list of known email addresses collected from other places or
bought from spammers, then you hash all those, and you see which ones match.

------
jstalin
Another reason to not use your real name or email address when commenting
across the web.

~~~
vocino
Or you know just be a decent person and not post things you wouldn't say in
person yourself.

~~~
TallGuyShort
Yeah - people have never been persecuted for who they are in person.

------
Asdfjgori
Get 150 million e-mail addresses from Adobe hack. Match vs Disqus users.
Profit.

~~~
gabriel34
Even better, you can be certain a great number of users reuse their password

~~~
Asdfjgori
True. A percentage of the union of Adobe and Disqus users will use the same
password for both services.

~~~
jessaustin
But if they haven't changed their password after the Adobe hack then they're
already boned, aren't they? How doe the Disqus vuln add to that?

~~~
Asdfjgori
You don't want to try 150 million Adobe logins on Disqus. You want to identify
which ones to test first.

~~~
jessaustin
Maybe I'm being dense this morning... if I were in the Adobe 150M, some
criminals would _already have_ my email address, right? How does getting
Disqus's hash of it help them out?

~~~
gabriel34
Not being dense at all, it's a valid point, but crossing both leaks helps them
find out quickly which logins and password combos to try at disqus, and which
accounts will be compromised.

------
eterm
Surely any hashing would be susceptible?

Even a slower or more "secure" hash wouldn't help much, because I can take
your starting known email address and find comments you have made. i.e. I can
start with "bill@example.com", slowly hash that to 901e54d1 and then search
google for 901e54d1 to find comments you've made.

Speed isn't a big deal if I'm interested in attacking specific subsets of
emails. (Which could still be a "large" set in a real world sense.)

As long as the hashing algorithm is known then it would be weak to finding
comments made by known authors. If the hashing algorithm is unknown then it
falls under security by obscurity.

So is there any way to implement a decentralised pseudonymous but ID-based
system where the ID is tied to email but cannot be generated from email (or
rather is generated from email but with some added entropy that prevents going
in either direction in the future.).

~~~
jessaustin
In general, what you're asking about is called a "salted hash". I don't
understand enough about Disqus's system to say it would definitely have
prevented this vulnerability.

~~~
darkarmani
A salted hash only slows down brute-force attacks and dictionary attacks. The
salt is still stored with the hash, so you could still eventually match the
email address with the hash. Instead of hashing each email address once and
comparing it with all of your collected hashes, you'd have to hash each email
address using every salt until you found a match.

~~~
jessaustin
Sure since they're using MD5 then a salt wouldn't solve their problem,
especially if the salt were also part of the url. And let's not pretend that
the url itself is somehow secret: there are many ways to collect those,
particularly if specific users are targeted. _Usually_ when people are this
boneheaded about hashes they're trying to save storage space, but I can't
imagine that storing a separate random identifier would add significantly to
Disqus's storage.

------
Asdfjgori
Researchgruppen seems to be in violation of the Disqus terms of service by
harvesting personal information and also disclosing this in other mediums.

~~~
oneeyedpigeon
So what? I doubt they're bothered if Disqus bans them from using their
service.

------
kmfrk
Glad I use separate e-mail addresses for signing up to sites and for personal
correspondence.

------
gabriel34
So, what would suffice to maintain anonymity AND the ability to send the user
email notifications?

I'm guessing Hashing (not MD5 though) + Salting + throwing away the salt and
bruteforcing it every time you need the plain email (you will lose the option
to mass mail your users)

Even then the whole concept of anonymity AND email bound account seems kind of
silly. Even if the user uses a secondary email address just for this, he still
has to trust the email provider (and if he uses a throwaway, what is the point
of collecting it anyway?)

This crack is proof that services that provide a fake sense of anonymity can
do a lot of harm.

------
dutchbrit
Old olllddd news, almost every Wordpress blog uses Gravatar, same issue...

~~~
subsystem
So why do you feel compelled to post when you know what you are saying is old
news? You just adds to the noise and make it off putting for anyone else to
post that actually knows about this event including your obvious point.

~~~
nkuttler
Now I'm confused.. why do you feel compelled to reply? You just add to the
noise.

~~~
AznHisoka
Men = Ego.

------
stonemetal
Why MD5 the email addresses? If you just need a unique id for a user, why not
use a GUID or something that isn't traceable from public information?

------
antonpug
Nice. Glad I decided against using Disqus for my site.

------
anilshanbhag
Where does one get the dataset of email id's of Adobe users ?

------
ddebernardy
Yawn. A rainbow table can be used to determine str in MD5(str). News at 11…

~~~
Sae5waip
The news is that Disqus is relying on that.

~~~
ddebernardy
So does Automattic with gravatars (on nearly 20% of the internet, no less),
and pray tell how many other companies that use md5(email) as a unique ID for
a reason or another. Duh! What were they thinking!

~~~
Sae5waip
I don't know what they were thinking. It's wrong, they shouldn't violate their
users privacy like that.

