• Sweden's news in English
 
app_header_v3

Swedes uncover Disqus user security breach

David Landes · 12 Dec 2013, 15:15

Published: 12 Dec 2013 15:15 GMT+01:00

After outing several 'online haters' at home, which caused several resignations from the populist, far-right Sweden Democrat party, the Swedish investigative journalists behind the revelations said they had accessed the identities of several million commenters using the popular Disqus system.

Martin Fredriksson and his colleagues started collecting Disqus data back in February 2013 as part of a project to more closely analyze anonymous online comments. They hoped to understand more about who was behind hateful and racist comments on far-right websites in Sweden. They unearthed some 6,000 anonymous accounts in Sweden on commission from the tabloid Expressen, which published the data on Tuesday.

Fredriksson told The Local on Thursday that the unmasking of a few thousand users behind pseudonyms used on far-right sites in Sweden could just be the tip of the iceberg.

There were millions of Disqus users whose identity is at risk of exposure, said Fredriksson, responsible publisher (ansvarig utgivare) for the Research Group (Researchgruppen, who said his group's database contained a total of 29 million comments from Disqus users around the world.

"We used an open Disqus API protocol to obtain the data," he said, using a common acronym for "application protocol interface", which specifies how software components should interact with one another. In order to obtain the data more efficiently, Fredriksson wrote a programme that automated the data download requests sent to Disqus servers.

"You usually get around 100 comments with one request, but our system was able to send ten requests at once," he explained.

While the thrust of the research focused on far-right sites in Sweden, data was also collected from news sites elsewhere in the world, including CNN, The Telegraph, ABC News, and The Jerusalem Post, as well as from mainstream Swedish news site such as Svenska Dagbladet, SVT Debatt as well as The Local.

Members of the Research Group quickly realized, however, that the data they received also came with metadata that included the email addresses tied to anonymous Disqus accounts.

"It came as something as a shock," he said. "We got a lot of data we probably weren't supposed to get."

Fredriksson emphasized that the group didn't use any illicit methods in obtaining the data, but that the information was included in their trawl due to a security flaw at Disqus.

"When you leave a comment as a Disqus user, there is information about the date, username, and the comment itself which is open data," he said. "But (Disqus) also sent us data with coding that made it possible to identify people's email addresses."

After it emerged that Disqus users has been identified in the Expressen news stories, the company was quick to take action.

"Disqus has not been cracked. No emails were leaked by Disqus," vice president for marketing Stephen Roy said in a statement released on Tuesday.

He explained that Disqus offers API services that include "MD5 hashes" of email addresses that allow users to access third-party services such as Gravatar, which in turn permits users to display a consistent avatar across platforms.

"This appears to be a targeted attack on a group of individuals using pattern matching of their activity across the web, associated with email addresses used by those individuals," said Roy, calling the actions a breach of Disqus privacy regulations. "As in all such cases, we are terminating the account."

Roy added that Disqus was disabling use of the Gravatar service and removing the MD5 hash email from its API.

"We will evaluate any further changes that will need to be made based on these actions," he said. Inquiries from The Local for further comment were not immediately returned.

Story continues below…

Fredriksson took exception to the Research Group being painted as wrongdoers by Disqus, explaining that he and his time "didn't even use any account for this, and never had to agree on any terms of service"

"We are researchers and they cannot blame us for researching openly available data. I think the bad guys are those who handle our personal information so carelessly," he said.

Fredriksson went on to admit that he and his colleagues aren't sure what to do with the data now in their possession, but expressed fears about who else might have similar technology that could unmask Disqus users.

"You can imagine a lot of unseemly scenarios," he said.  "Perhaps the authorities in Iran, for example, have data like this from Israeli media sites and might use it to find out who is behind the comments."

Fredriksson said the incident is a wake-up call for news sites and online commenters everywhere to be more aware that their data may not be as safe as they had previously thought.

"People need to know more about the risks that arise when third-parties get access to their data," he told The Local. "It shows how much uncertainty there is in systems like this."

David Landes (david.landes@thelocal.se)

Your comments about this article

Today's headlines
Drunken Christmas goat burner risks four years in jail
The Christmas goat looks at the fireworks and contemplates its future. Photo: Mats Åstrand/TT

His singed eyebrows were a dead giveaway.

Joe Biden: 'Sweden has shown great leadership'
Joe Biden, left, and Stefan Löfven. Photo: Anders Wiklund/TT

US Vice President Joe Biden praised Sweden for "punching way above its weight" in the global refugee crisis.

Nepal's Sherpas rebuild Swedish mountain paths
Kebnekaise, Sweden's highest mountain. Photo: Stockholms Universitet

Nepalese sherpas have been called in to improve hillwalking safety on Sweden's highest mountain Kebnekaise.

23 people tricked into renting the same Malmö apartment
Sweden's housing market is notoriously tricky. Photo: Janerik Henriksson/TT

"I have never felt so stupid and so conned."

Sweden on standby to help earthquake-hit Italy
Rescue workers search through the debris. Photo: AP Photo/Sandro Perozzi

Swedish authorities are ready, if asked, to quickly assist Italy as it recovers from a deadly earthquake.

We harmed Sweden's teachers and should apologize: prof
A tired pupil at a school in Stockholm. Photo: Jessica Gow/TT

"The situation is very worrying," says Professor Jonas Linderoth.

US keeper kicked off team for calling Swedes cowards
Hope Solo made her comments after Sweden knocked the US team out of the Olympics. Photo: Eugenio Savio/AP

The US team will be Hope-less for six months.

Five must-see cultural events in Sweden this weekend
Like The Bridge? You'll love one of the events we've picked out for this weekend. Photo: Erland Vinberg/TT

The summer is almost over but Sweden saved the best for last with these cultural events this weekend – including one that will make The Bridge fans happy.

Was there a secret plot to kill Swedish ex-UN chief?
Dag Hammarskjöld, the UN's Secretary General, pictured months before his death in 1961. Photo: TT

Ban Ki-moon wants to find out.

Joe Biden to arrive in Sweden for refugee talks
Stefan Löfven meets Joe Biden during a visit to Washington in March 2015. Photo: Monica Enqvist/Government Offices of Sweden

US Vice President Joe Biden will arrive in Stockholm on Wednesday evening ahead of talks with Swedish Prime Minister Stefan Löfven that are expected to focus on migration and refugees.

Sponsored Article
Malmö to host global skateboard championship
Gallery
People-watching: August 24th
Sponsored Article
Life in Jordan: 'Undiscovered treasure'
The Local Voices
'I want to be a businesswoman but I don’t care about money'
National
Experts: Gothenburg grenade blast is 'part of a cycle of violence'
Blog updates

23 August

A Summer in Sweden (The Diplomatic Dispatch) »

"For our first year here in Sweden we decided to have all our holidays in Sweden.…" READ »

 

22 July

After the horror, carry on regardless (Globally Local) »

"This time last week, we were just digesting the horror of the Nice killings, in which…" READ »

 
 
 
Sponsored Article
The mystique of Asia - in the middle of Stockholm
Gallery
Property of the week: Karlsborg
Sponsored Article
Why you should learn to trade (and just how easy it is)
National
Why Sweden could change its criticised detention laws
National
Watch this dog's reaction when she tries Swedish fermented herring
Gallery
People-watching: August 19th-21st
Sponsored Article
6 reasons expats use TransferWise to send money
National
How to find student housing in Sweden
Sponsored Article
'Sweden's Lauryn Hill' touches the country's musical soul
National
VIDEO: Swede films first Northern Lights of the season
Gallery
People-watching: August 17th
Sponsored Article
6 simple travel hacks that will make your life easier
Society
Swedish population nears ten million
Sponsored Article
Why expats choose international health insurance
The Local Voices
This Syrian artist found love in a Swedish library
National
Sex pigs halt traffic after laser attack on Pokémon teens. Only in Sweden.
Sponsored Article
Five easy ways to travel more often
Gallery
Property of the week: Hammarby Sjöstad, Stockholm
Sponsored Article
Why you should attend an international job fair
Society
Drunk knight detained in Stockholm
Sponsored Article
Five things Americans should know about voting abroad
National
Can you solve this Swede's strange Star Wars mystery?
Gallery
People-watching: August 12th-14th
Sponsored Article
Jordan: where history meets adventure
National
Swedes cheer first snow of the season
Sponsored Article
Life in Jordan: 'Undiscovered treasure'
Gallery
People-watching: August 10th
Sponsored Article
Jordan Pass: your ticket to the experience of a lifetime
The Local Voices
Syrian presenter: Swedish media should make more shows in Arabic
Sponsored Article
Why Jordan is the ‘Different’ East
Travel
Watch the meteor shower in Sweden
Sponsored Article
6 simple travel hacks that will make your life easier
Lifestyle
How to survive a crayfish party
Gallery
IN PICS: Your Sweden summer snaps
The Local Voices
Gabriel mastered Swedish and got accepted onto a medicine degree in just 7 months
3,376
jobs available