• Sweden's news in English
 
app_header_v3

Swedes uncover Disqus user security breach

David Landes · 12 Dec 2013, 15:15

Published: 12 Dec 2013 15:15 GMT+01:00

After outing several 'online haters' at home, which caused several resignations from the populist, far-right Sweden Democrat party, the Swedish investigative journalists behind the revelations said they had accessed the identities of several million commenters using the popular Disqus system.

Martin Fredriksson and his colleagues started collecting Disqus data back in February 2013 as part of a project to more closely analyze anonymous online comments. They hoped to understand more about who was behind hateful and racist comments on far-right websites in Sweden. They unearthed some 6,000 anonymous accounts in Sweden on commission from the tabloid Expressen, which published the data on Tuesday.

Fredriksson told The Local on Thursday that the unmasking of a few thousand users behind pseudonyms used on far-right sites in Sweden could just be the tip of the iceberg.

There were millions of Disqus users whose identity is at risk of exposure, said Fredriksson, responsible publisher (ansvarig utgivare) for the Research Group (Researchgruppen, who said his group's database contained a total of 29 million comments from Disqus users around the world.

"We used an open Disqus API protocol to obtain the data," he said, using a common acronym for "application protocol interface", which specifies how software components should interact with one another. In order to obtain the data more efficiently, Fredriksson wrote a programme that automated the data download requests sent to Disqus servers.

"You usually get around 100 comments with one request, but our system was able to send ten requests at once," he explained.

While the thrust of the research focused on far-right sites in Sweden, data was also collected from news sites elsewhere in the world, including CNN, The Telegraph, ABC News, and The Jerusalem Post, as well as from mainstream Swedish news site such as Svenska Dagbladet, SVT Debatt as well as The Local.

Members of the Research Group quickly realized, however, that the data they received also came with metadata that included the email addresses tied to anonymous Disqus accounts.

"It came as something as a shock," he said. "We got a lot of data we probably weren't supposed to get."

Fredriksson emphasized that the group didn't use any illicit methods in obtaining the data, but that the information was included in their trawl due to a security flaw at Disqus.

"When you leave a comment as a Disqus user, there is information about the date, username, and the comment itself which is open data," he said. "But (Disqus) also sent us data with coding that made it possible to identify people's email addresses."

After it emerged that Disqus users has been identified in the Expressen news stories, the company was quick to take action.

"Disqus has not been cracked. No emails were leaked by Disqus," vice president for marketing Stephen Roy said in a statement released on Tuesday.

He explained that Disqus offers API services that include "MD5 hashes" of email addresses that allow users to access third-party services such as Gravatar, which in turn permits users to display a consistent avatar across platforms.

"This appears to be a targeted attack on a group of individuals using pattern matching of their activity across the web, associated with email addresses used by those individuals," said Roy, calling the actions a breach of Disqus privacy regulations. "As in all such cases, we are terminating the account."

Roy added that Disqus was disabling use of the Gravatar service and removing the MD5 hash email from its API.

"We will evaluate any further changes that will need to be made based on these actions," he said. Inquiries from The Local for further comment were not immediately returned.

Story continues below…

Fredriksson took exception to the Research Group being painted as wrongdoers by Disqus, explaining that he and his time "didn't even use any account for this, and never had to agree on any terms of service"

"We are researchers and they cannot blame us for researching openly available data. I think the bad guys are those who handle our personal information so carelessly," he said.

Fredriksson went on to admit that he and his colleagues aren't sure what to do with the data now in their possession, but expressed fears about who else might have similar technology that could unmask Disqus users.

"You can imagine a lot of unseemly scenarios," he said.  "Perhaps the authorities in Iran, for example, have data like this from Israeli media sites and might use it to find out who is behind the comments."

Fredriksson said the incident is a wake-up call for news sites and online commenters everywhere to be more aware that their data may not be as safe as they had previously thought.

"People need to know more about the risks that arise when third-parties get access to their data," he told The Local. "It shows how much uncertainty there is in systems like this."

David Landes (david.landes@thelocal.se)

Your comments about this article

Today's headlines
Video
The top reactions to Swedish high heels handyman video
Andersson was in agony after a day of laying floors in high heels. Photo: Emil Andersson

What did The Local's readers think about this viral clip challenging sexist beauty ideals?

Transport authorities call for probe into tech glitch
SAS aircraft grounded at Arlanda airport last week. Photo: Johan Nilsson/TT

But officials say it was not sabotage that caused last week's network failure, which knocked out large parts of Swedish air traffic.

Why northern Swedes get the hots for sex toys
File photo of handcuffs. Photo: Gunnar Lundmark/SvD/TT

Where in Sweden do people buy the most sex toys? Kiruna in the far north, apparently.

Royal baptism day for Sweden's Prince Oscar
Prince Oscar with Archbishop Antje Jackelén. Photo: Jonas Ekströmer/TT

UPDATED: Royalty, dignitaries and other esteemed figures took to Stockholm's Royal Chapel for the ceremony.

Giant replica of Swedish 18th century ship up for sale
The Götheborg setting sail from Stockholm in 2008. Photo: Claudio Bresciani / TT

A replica of a doomed Swedish merchant vessel that sank in 1745 within sight of its home port of Gothenburg has been put up for sale.

Border checks
First migrants make it from Denmark to Sweden on foot
The Öresund bridge between Sweden and Denmark. Photo: Erland Vinberg/TT

Dozens of attempts have been made, but this is the first successful crossing since Sweden introduced ID and border checks.

Brexit
Poll: Swedes are worried about Brexit consequences
The possibility of Brexit has Swedes worried about the EU's future. Photo: Lars Pehrson/SvD/TT

Swedes are worried about what may happen both at home and abroad if Britain votes to leave the EU in June.

The Local Recipes
Fend off the bad weather with a Swedish beetroot salad
Beetroot salad with cumin and feta. Photo: John Duxbury/Swedish Food

Rain, rain, go away.

How a Swedish rocker saved the life of this cute baby elk
Erik Brodén's daughters Tyra and Brita with the elk baby. Photo: Private

Probably the sweetest story you'll read today.

Man sentenced over dinner party murder in west Sweden
The man during a preliminary court hearing last year. Photo: Björn Larsson Rosvall/TT

He stabbed his friend at a dinner party and attempted to kill two others.

Sponsored Article
How to find student housing in Malmö: 5 tips
Gallery
The best, cutest and funniest snaps from Prince Oscar's christening
Sponsored Article
Can you afford to live in Stockholm? (Hint: yes)
Travel
Is this town the best place in Sweden?
Gallery
People-watching: May 25th
Blog updates

27 May

Editor’s blog, May 27th (The Local Sweden) »

"Hej readers, Would you spend a day doing manual labour in high heels? That’s what Swedish…" READ »

 

17 May

What about “att”? (The Swedish Teacher) »

"Hej! It often seems like the small words are the ones that cause the most confusion.…" READ »

 
 
 
Sponsored Article
'Sweden gives artists the space to follow their dreams'
Society
WATCH: Why Swedish handyman wore pink high heels for feminism
Sponsored Article
Stockholm makes it easier for refugees to meet startups
Sport
LIST: Top-ten ridiculous things Zlatan has compared himself to
Business & Money
Why Swedes don't want the euro
Fastighetsbyrån
Gallery
Property of the week: Vika, Falun
Sponsored Article
Food, fun, and reliable sun: Summer in Dubrovnik
National
Is this the most Swedish tattoo ever?
Sponsored Article
How Stockholm startups help new employees feel at home
Gallery
People-watching: May 20th-22nd
National
How to really annoy a Swede abroad
Sponsored Article
'Only soft power can defeat radicalism'
National
How this war veteran is warming hearts in Sweden
Sponsored Article
Why Stockholm attracts so many successful researchers
Gallery
People-watching: May 18th
National
How this Swede's viral ad totally nailed Stockholm's housing crisis
Gallery
Property of the week: Vasastaden, Gothenburg
Sponsored Article
'Sweden gives artists the space to follow their dreams'
Lifestyle
The best Swedish cities for dating
Sponsored Article
Retiring abroad: ensuring your health is covered
Gallery
People-watching: May 13th-15th
Sponsored Article
Can you afford to live in Stockholm? (Hint: yes)
Culture
BLOG: Eurovision as it happened
National
Why a 116-year-old Swede isn't the world's oldest woman
National
Youth unemployment falls in Sweden
Gallery
People-watching: May 11th
Gallery
People-watching: May 6th-8th
Politics
Why Sweden's Greens are in free fall
National
Can these cartoon Swedes help foreigners blend in?
3,394
jobs available
PSD Media
PSD Media is marketing company that offers innovative solutions for online retailers. We provide modern solutions that help increase traffic and raise conversion. Visit our site at:
psdmedia.se