• Sweden edition
 
Swedes uncover Disqus user security breach
A screengrab from the Disqus debate tool website.

Swedes uncover Disqus user security breach

Published: 12 Dec 2013 15:15 GMT+01:00
Updated: 12 Dec 2013 15:15 GMT+01:00

A group of Swedish journalists are sitting on a goldmine of 29 million online comments, with information about users' identities, from news sites around the world thanks to a security flaw in debate moderation service Disqus.

After outing several 'online haters' at home, which caused several resignations from the populist, far-right Sweden Democrat party, the Swedish investigative journalists behind the revelations said they had accessed the identities of several million commenters using the popular Disqus system.

Martin Fredriksson and his colleagues started collecting Disqus data back in February 2013 as part of a project to more closely analyze anonymous online comments. They hoped to understand more about who was behind hateful and racist comments on far-right websites in Sweden. They unearthed some 6,000 anonymous accounts in Sweden on commission from the tabloid Expressen, which published the data on Tuesday.

Fredriksson told The Local on Thursday that the unmasking of a few thousand users behind pseudonyms used on far-right sites in Sweden could just be the tip of the iceberg.

There were millions of Disqus users whose identity is at risk of exposure, said Fredriksson, responsible publisher (ansvarig utgivare) for the Research Group (Researchgruppen, who said his group's database contained a total of 29 million comments from Disqus users around the world.

"We used an open Disqus API protocol to obtain the data," he said, using a common acronym for "application protocol interface", which specifies how software components should interact with one another. In order to obtain the data more efficiently, Fredriksson wrote a programme that automated the data download requests sent to Disqus servers.

"You usually get around 100 comments with one request, but our system was able to send ten requests at once," he explained.

While the thrust of the research focused on far-right sites in Sweden, data was also collected from news sites elsewhere in the world, including CNN, The Telegraph, ABC News, and The Jerusalem Post, as well as from mainstream Swedish news site such as Svenska Dagbladet, SVT Debatt as well as The Local.

Members of the Research Group quickly realized, however, that the data they received also came with metadata that included the email addresses tied to anonymous Disqus accounts.

"It came as something as a shock," he said. "We got a lot of data we probably weren't supposed to get."

Fredriksson emphasized that the group didn't use any illicit methods in obtaining the data, but that the information was included in their trawl due to a security flaw at Disqus.

"When you leave a comment as a Disqus user, there is information about the date, username, and the comment itself which is open data," he said. "But (Disqus) also sent us data with coding that made it possible to identify people's email addresses."

After it emerged that Disqus users has been identified in the Expressen news stories, the company was quick to take action.

"Disqus has not been cracked. No emails were leaked by Disqus," vice president for marketing Stephen Roy said in a statement released on Tuesday.

He explained that Disqus offers API services that include "MD5 hashes" of email addresses that allow users to access third-party services such as Gravatar, which in turn permits users to display a consistent avatar across platforms.

"This appears to be a targeted attack on a group of individuals using pattern matching of their activity across the web, associated with email addresses used by those individuals," said Roy, calling the actions a breach of Disqus privacy regulations. "As in all such cases, we are terminating the account."

Roy added that Disqus was disabling use of the Gravatar service and removing the MD5 hash email from its API.

"We will evaluate any further changes that will need to be made based on these actions," he said. Inquiries from The Local for further comment were not immediately returned.

Fredriksson took exception to the Research Group being painted as wrongdoers by Disqus, explaining that he and his time "didn't even use any account for this, and never had to agree on any terms of service"

"We are researchers and they cannot blame us for researching openly available data. I think the bad guys are those who handle our personal information so carelessly," he said.

Fredriksson went on to admit that he and his colleagues aren't sure what to do with the data now in their possession, but expressed fears about who else might have similar technology that could unmask Disqus users.

"You can imagine a lot of unseemly scenarios," he said.  "Perhaps the authorities in Iran, for example, have data like this from Israeli media sites and might use it to find out who is behind the comments."

Fredriksson said the incident is a wake-up call for news sites and online commenters everywhere to be more aware that their data may not be as safe as they had previously thought.

"People need to know more about the risks that arise when third-parties get access to their data," he told The Local. "It shows how much uncertainty there is in systems like this."

David Landes (david.landes@thelocal.se)

Don't miss...X
Left Right

Your comments about this article

Today's headlines
Police launch probe after Easter ferry smash
A coastguard vessel involved in the rescue operation. Photo: TT

Police launch probe after Easter ferry smash

Stockholm police are investigating criminal negligence in connection with a crash involving a small taxi vessel and a giant Finland-bound ferry on Friday which left three people needing rescue from the icy waters of Stockholm's archipelago. READ () »

Ikea to introduce 'green' vegetarian meatballs

Ikea to introduce 'green' vegetarian meatballs

Swedish furniture giant Ikea is planning to put vegetarian meatballs on the menu in an attempt to cut down on its carbon footprint, the company has announced. READ () »

Students to keep paying off debt beyond 67

Students to keep paying off debt beyond 67

The Swedish government has proposed scrapping the 25-year span for repaying student loans, by suggesting those who attend higher education should keep paying the money back well into retirement. READ () »

Drowned puppies found in crayfish cage
The crayfish cage in the picture is not the one mentioned in the story. Photo: Christine Olsson/TT

Drowned puppies found in crayfish cage

Police in eastern Sweden have launched a preliminary investigation of animal cruelty after two puppies were found drowned in a crayfish cage. READ () »

Three rescued after cruise ship sinks boat
Rickard Rundgren Björk of the coastguard services speaks to the media after the rescue operation on April 19th 2014. Photo: Maja Suslin /TT

Three rescued after cruise ship sinks boat

Three Saturday morning sailors had a lucky escape after their small boat collided and sank after it crashed into a cruise ship whilst sailing in the Stockholm archipelago. READ () »

Missing Swede found alive and well in UK
Sofie Marie Jansson. Photo: Metropolitan Police

Missing Swede found alive and well in UK

British police have found the missing Swedish girl Sofie Jansson in London, exactly a week after she was last seen, with authorities saying she is doing well. READ () »

Social Democrats make tax pledge to elderly

Social Democrats make tax pledge to elderly

Sweden's opposition party has stepped up its efforts to secure the pensioner vote by pledging to lower taxes for the elderly and make higher earners pay more. READ () »

Malmö Nazi attack victim on the mend
Showan Shattak pictured in Malmö before his attack. Photo: Facebook

Malmö Nazi attack victim on the mend

The 25-year-old man, whose stabbing by neo-Nazis sparked mass demonstrations across Sweden, has made a strong recovery in hospital and took to social media to thank supporters for campaigning against fascism. READ () »

Police seeking missing Swede in London

British police have issued a plea for tips in the search to find Swedish national Sofie Marie Jansson who hasn't been seen for almost a week. READ () »

University applications rocket to record high

University applications rocket to record high

Swedish universities continue to draw vast amounts of applicants with the number of prospective students seeking a third level education increasing for the seventh year in a row. READ () »

RECEIVE OUR NEWSLETTER AND ALERTS
TT
Society
Kids in Victorian garb mark Swedish Easter
Shutterstock
National
Swedish MP ordered chemtrail probe
Society
Swedish supermarket Ica pulls contested Easter commercial off air
Kungahuset
Society
Swedish royals set baptism date for princess
finest.se
Gallery
People-watching April 16
Politics
Who's the prime minister's heir?
Alfie Atkins
Society
Are children's books the key to families integrating in Sweden?
National
'Sweden Dem protests cater to party's martyr image'
National
'Swedish research grants were fantastic, but now it's like Australia'
Society
Only in Sweden: The ten problems you'd never encounter elsewhere
National
Swedes stopped to take my picture, but didn't look me in the eyes
Business & Money
A swipe of the hand replaced cash and cards in Lund
Advertisement:
YouTube
Features
Video: Oliver Gee finds out how to embrace The Swedish Hug
TT
National
Abba duo hints at reunion
Private
National
Flash mobs hug it out across Sweden
Finest.se
Gallery
People-watching April 11-13
TT
Politics
Swedes to give six-hour workday a go
TT
Society
Aussie choir member wows Abba in Sweden
YouTube
Society
Stockholm magic a surprise YouTube hit
Fastighetsbyrån
Society
Gallery: The Local's Property of the Week
Private
Society
Swedes find 200-year-old gravestone in living room
Stockholm School of Economics
Sponsored Article
Why a bachelor's degree is no longer enough
Deepti Vashisht
Features
Deepti Vashisht dissects the magic of Sweden's personal ID number
Shutterstock
Society
Ten signs you've been in Sweden too long
Latest news from The Local in Switzerland

More news from Switzerland at thelocal.ch

Latest news from The Local in Germany

More news from Germany at thelocal.de

Latest news from The Local in Spain

More news from Spain at thelocal.es

Latest news from The Local in France

More news from France at thelocal.fr

Latest news from The Local in Italy

More news from Italy at thelocal.it

Latest news from The Local in Norway

More news from Norway at thelocal.no

Blog Update: The Diplomatic Dispatch

28 October 15:16

The Green Growth Group Summit »

"Today on the 28 October in Brussels, a large group of key EU Ministers and business people, including UK Secretary of State for Energy and Climate Change Edward Davey, and Swedish Environment Minister Lena Ek, will meet to discuss green growth. They all have a stake in resolving a challenge which, although it is crucial..." READ »

722
jobs available
Swedish Down Town Consulting & Productions
Swedish Down Town Consulting & Productions is an innovative business company which provides valuable assistance with the Swedish Authorities, Swedish language practice and general communications. Call 073-100 47 81 or visit:
www.swedishdowntown.com