• Sweden's news in English

Swedes uncover Disqus user security breach

David Landes · 12 Dec 2013, 15:15

Published: 12 Dec 2013 15:15 GMT+01:00

Facebook Twitter Google+ reddit

After outing several 'online haters' at home, which caused several resignations from the populist, far-right Sweden Democrat party, the Swedish investigative journalists behind the revelations said they had accessed the identities of several million commenters using the popular Disqus system.

Martin Fredriksson and his colleagues started collecting Disqus data back in February 2013 as part of a project to more closely analyze anonymous online comments. They hoped to understand more about who was behind hateful and racist comments on far-right websites in Sweden. They unearthed some 6,000 anonymous accounts in Sweden on commission from the tabloid Expressen, which published the data on Tuesday.

Fredriksson told The Local on Thursday that the unmasking of a few thousand users behind pseudonyms used on far-right sites in Sweden could just be the tip of the iceberg.

There were millions of Disqus users whose identity is at risk of exposure, said Fredriksson, responsible publisher (ansvarig utgivare) for the Research Group (Researchgruppen, who said his group's database contained a total of 29 million comments from Disqus users around the world.

"We used an open Disqus API protocol to obtain the data," he said, using a common acronym for "application protocol interface", which specifies how software components should interact with one another. In order to obtain the data more efficiently, Fredriksson wrote a programme that automated the data download requests sent to Disqus servers.

"You usually get around 100 comments with one request, but our system was able to send ten requests at once," he explained.

While the thrust of the research focused on far-right sites in Sweden, data was also collected from news sites elsewhere in the world, including CNN, The Telegraph, ABC News, and The Jerusalem Post, as well as from mainstream Swedish news site such as Svenska Dagbladet, SVT Debatt as well as The Local.

Members of the Research Group quickly realized, however, that the data they received also came with metadata that included the email addresses tied to anonymous Disqus accounts.

"It came as something as a shock," he said. "We got a lot of data we probably weren't supposed to get."

Fredriksson emphasized that the group didn't use any illicit methods in obtaining the data, but that the information was included in their trawl due to a security flaw at Disqus.

"When you leave a comment as a Disqus user, there is information about the date, username, and the comment itself which is open data," he said. "But (Disqus) also sent us data with coding that made it possible to identify people's email addresses."

After it emerged that Disqus users has been identified in the Expressen news stories, the company was quick to take action.

"Disqus has not been cracked. No emails were leaked by Disqus," vice president for marketing Stephen Roy said in a statement released on Tuesday.

He explained that Disqus offers API services that include "MD5 hashes" of email addresses that allow users to access third-party services such as Gravatar, which in turn permits users to display a consistent avatar across platforms.

"This appears to be a targeted attack on a group of individuals using pattern matching of their activity across the web, associated with email addresses used by those individuals," said Roy, calling the actions a breach of Disqus privacy regulations. "As in all such cases, we are terminating the account."

Roy added that Disqus was disabling use of the Gravatar service and removing the MD5 hash email from its API.

"We will evaluate any further changes that will need to be made based on these actions," he said. Inquiries from The Local for further comment were not immediately returned.

Story continues below…

Fredriksson took exception to the Research Group being painted as wrongdoers by Disqus, explaining that he and his time "didn't even use any account for this, and never had to agree on any terms of service"

"We are researchers and they cannot blame us for researching openly available data. I think the bad guys are those who handle our personal information so carelessly," he said.

Fredriksson went on to admit that he and his colleagues aren't sure what to do with the data now in their possession, but expressed fears about who else might have similar technology that could unmask Disqus users.

"You can imagine a lot of unseemly scenarios," he said.  "Perhaps the authorities in Iran, for example, have data like this from Israeli media sites and might use it to find out who is behind the comments."

Fredriksson said the incident is a wake-up call for news sites and online commenters everywhere to be more aware that their data may not be as safe as they had previously thought.

"People need to know more about the risks that arise when third-parties get access to their data," he told The Local. "It shows how much uncertainty there is in systems like this."

David Landes (david.landes@thelocal.se)

Facebook Twitter Google+ reddit

Your comments about this article

Today's headlines
Löfven: 'Sweden will double its number of troops in Iraq'
Stefan Löfven and Haider al-Abadi during the visit on Monday. Photo: Henrik Montgomery/TT

Swedish Prime Minister Stefan Löfven has promised to double his country's number of troops in Iraq following a meeting with Iraqi counterpart Haider al-Abadi on Monday.

Will Swedes soon be looking for fairtrade porn?
Should Swedes think fairtrade with porn? Photo: Karin Malmhav/SvD/TT

A fairtrade attitude to pornography would be beneficial, Sweden's health minister told The Local.

Presented by Stockholm University
Nordic fashion in focus at Stockholm University
Simon Paulin/imagebank.sweden.se

Nordic fashion took centre stage in the Swedish capital last week as Stockholm University hosted the “first-ever” academic conference looking at luxury and sustainability in the fashion industry.

Referee, coach and parents in Swedish youth football fight
File photo of a referee holding a red card not related to the story. Photo: Stefan Jerrevång/TT

A football dad broke his leg in the brawl in front of 11-year-old kids after a Hammarby youth football game.

Illicit abattoir kept more than 100 bulls' penises
A couple of young bulls not related to the story. Photo: Jonas Ekströmer/TT

Dried cattle genitalia, goats' heads and hundreds of litres of lard were just a few of the many strange finds discovered when police raided a property in Sweden.

This is officially Sweden's most beautiful beard
The most beautiful beard in Sweden. Photo: Memo Göcek

According to a jury of barbers and 'well known bearded profiles', that is.

Presented by Invest Stockholm
One expat's strategy for making friends in Stockholm

You might think it’s hard to make friends in a new city. But if at first you don’t succeed – try something else!

Injured Swedish photographer protected by 'guardian angel'
Swedish photographer Paul Hansen on another occasion. Photo: Fredrik Sandberg/TT

Photographer Paul Hansen thanked his lucky stars for surviving sniper fire while covering the battle for the Isis-held city of Mosul in Iraq.

How Sweden is trying to smooth relations with Saudis
Swedish Prime Minister Stefan Löfven meeting Saudi Arabia's Trade Minister Majid bin Abdullah Al Qasabi. Photo: Henrik Montgomery/TT

Sweden's Prime Minister Stefan Löfven has visited Saudi Arabia a year and a half after relations turned frosty in a major diplomatic row.

My Swedish Career
'Swedish people love it, but they find it quite odd'
Scottish entrepreneur William Macdonald. Photo: Michael Campanella

Meet the web developer and entrepreneur using traditional Scottish ceilidh dancing to break the ice with Swedes.

Sponsored Article
Last chance to vote absentee in the US elections
People-watching: October 21st-23rd
Sponsored Article
This is Malmö: Football capital of Sweden
Fury at plans that 'threaten the IB's survival' in Sweden
Analysis & Opinion
Are we just going to let half the country die?
Blog updates

6 October

10 useful hjälpverb (The Swedish Teacher) »

"Hej! I think the so-called “hjalpverb” (auxiliary verbs in English) are a good way to get…" READ »


8 July

Editor’s blog, July 8th (The Local Sweden) »

"Hej readers, It has, as always, been a bizarre, serious and hilarious week in Sweden. You…" READ »

Sponsored Article
Where is the Swedish music industry heading?
Angry elk chases Swede up a lamp post
Sponsored Article
Why you should 'grab a chair' on Stockholm's tech scene
The Local Voices
'Alienation in Sweden feels better: I find myself a stranger among scores of aliens'
People-watching: October 20th
The Local Voices
A layover at Qatar airport brought this Swedish-Kenyan couple together - now they're heading for marriage
Sponsored Article
Stockholm: creating solutions to global challenges
Swede punches clown that scared his grandmother
Sponsored Article
Swedish for programmers: 'It changed my life'
Fans throw flares and enter pitch in Swedish football riot
Could Swedish blood test solve 'Making a Murderer'?
Sponsored Article
Top 7 tips to help you learn Swedish
Property of the week: Linnéstaden, Gothenburg
Sponsored Article
‘Extremism can't be defeated on the battlefield alone’
Swedish school to build gender neutral changing room
People-watching: October 14th-16th
Sponsored Article
Stockholm: creating solutions to global challenges
Man in Sweden assaulted by clowns with broken bottle
Sponsored Article
Why you should 'grab a chair' on Stockholm's tech scene
Nobel Prize 2016: Literature
Sponsored Article
Where is the Swedish music industry heading?
Watch the man who discovered Bob Dylan react to his Nobel Prize win
Sponsored Article
One expat's strategy for making friends in Stockholm
Record numbers emigrating from Sweden
Sponsored Article
Nordic fashion in focus at Stockholm University
People-watching: October 12th
The Local Voices
'Swedish startups should embrace newcomers' talents - there's nothing to fear'
How far right are the Sweden Democrats?
Property of the week: Triangeln, Malmö
Sweden unveils Europe's first elk hut
People-watching: October 7th-9th
The Local Voices
Syria's White Helmets: The Nobel Peace Prize would have meant a lot, but pulling a child from rubble is the greatest reward
Missing rune stone turns up in Sweden
Nobel Prize 2016: Chemistry
jobs available