Disqus is updating its widely used comments platform after a Swedish tabloid exposed politicians and other public figures for allegedly making highly offensive comments on right-wing websites.
The Swedish daily Expressen, working with an investigative journalism group, said it uncovered the identity of hundreds of people who left offensive comments at four right-wing websites through their e-mail addresses. It then confronted the authors of the comments, many of whom freely admitted to writing them.
Later on Tuesday, Disqus said its network had not been breached and that it did not leak e-mail addresses. The journalists appeared to have abused a feature it used for a third party service, it said.
Based on information from Disqus and other observers, a general picture of the journalists’ method has emerged.
Disqus used a third party service called Gravatar from Automattic, the company behind the WordPress content management system used on many websites. Users can upload an avatar, which will then appear on any Gravatar-enabled website.
A Disqus API (application programming interface) fetched avatars from Gravatar using the ‘hashed’ e-mail addresses of registered users. A hash is a cryptographic representation in numbers and letters of a value processed by an algorithm.
The journalists likely collected the nicknames of commentators from the websites, then pinged Disqus’ API to see what hashed value was returned. They could have gained access to Disqus’ API by creating an account, according to Eaxbreakparty, a blog run by a self-described cryptography enthusiast.
With that value in hand, a couple of scenarios are possible. If the journalists already had a database of personal e-mail addresses, they could generate the MD5 hash for those addresses and then see which ones match the hashes returned by Disqus.
Also, it is possible, but difficult, to convert MD5 hashes back to their original value, which would give them email addresses with which to perform further research.
Disqus said in a statement that “to use our API or service for such purposes, is a breach of our privacy guidelines.” The account believed to have been used for the research would be terminated, it said.
The company said it would also disable Gravatar and remove “the MD5 hash e-mail addresses from the API. We will evaluate any further changes that will need to be made based on these actions.”
Jeremy Kirk, IDG News Service
@jeremy_kirk jeremy_kirk@idg.com
Subscribers 0
Fans 0
Followers 0
Followers