Related Links

Related Stories

Top 5 Stories


Disqus May Not Have Been Hacked; But It Was Certainly Exploited

13 December 2013

Earlier this week a politically motivated group of Swedish investigative journalists linked some supposedly anonymous right-wing comments posted via Disqus to their actual authors. While several of the authors freely admitted to the posts, it also led to a few resignations from the far-right Sweden Democrat political party.

Now one of the journalists, Martin Fredriksson, has told The Local, "the unmasking of a few thousand users behind pseudonyms used on far-right sites in Sweden could just be the tip of the iceberg." Their project, which started back in February 2013, also highlights the grey area between research and hacking – their process was similar in concept to how Andrew Auernheimer (aka 'weev') obtained the e-mail addresses of iPad users from AT&T in 2010. Auernheimer was later found guilty of offenses under the Computer Fraud and Abuse Act in the US, and imprisoned.

But like Auernheimer, Fredriksson did not, in his own terms, actively hack Disqus. Instead the group used a freely available part of the Disqus service. "We used an open Disqus API protocol to obtain the data," he told The Local. He then wrote a script to automate the process. "You usually get around 100 comments with one request, but our system was able to send ten requests at once," he explained.

The result is that his group is now sitting on a database of 29 million supposedly anonymous comments from sites that use the Disqus system – such as CNN, The Telegraph, ABC News, and The Jerusalem Post, as well as from mainstream Swedish news sites such as Svenska Dagbladet, SVT Debatt, and The Local itself.

"Members of the Research Group quickly realized, however," reports The Local, "that the data they received also came with metadata that included the email addresses tied to anonymous Disqus accounts."

"We got a lot of data we probably weren't supposed to get," said Fredriksson, emphasizing that the group used no illicit methods but simply made use of a flaw in the Disqus security. 

Disqus sort of agreed. "Disqus has not been cracked," said Stephen Roy, VP marketing in a blog statement. "No emails were leaked by Disqus. Disqus offers an API service that includes MD5 hashes of email addresses in order to use Gravatar, a commonly used third party service that enables users to display a consistent avatar across platforms." He added that what Fredriksson did was "a breach of our privacy guidelines."

For his part, Fredriksson stressed that he 'didn't even use any account for this, and never had to agree on any terms of service.' "We are researchers and they cannot blame us for researching openly available data. I think the bad guys are those who handle our personal information so carelessly," he told The Local.

It is a continuing grey area. Where does research end and hacking begin? It is behavior almost certainly in contravention of the US Computer Fraud and Abuse Act – but it is little different to what security researchers do all the time. In this instance it is complicated by the nature of the Swedish investigative journalists. Their primary motivation was almost certainly political research rather than security research. Nevertheless, they exposed, and have therefore improved, a major security flaw.

This article is featured in:
Internet and Network Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×