14 DAY TRIAL // A group of investigative journalists from Sweden say they’ve uncovered a way to identify users who have posted anonymous comments online with the blog comment hosting service Disqus.
According to The Local, the journalists have a database of 29 million comments. They initially started their research in an effort to find out who was posting racist and hateful comments on Swedish far-right websites.
Around 6,000 accounts connected to far-right sites from Sweden have been uncovered, but the data they’ve collected also includes websites such as the ones of ABC News, CNN, The Telegraph, and The Jerusalem Post.
The flaw they’ve found lies in the Disqus API. The journalists have been using the API to obtain the 29 million comments. However, they’ve noticed that they also obtained metadata which includes the email addresses associated with commenters.
“When you leave a comment as a Disqus user, there is information about the date, username, and the comment itself which is open data,” Martin Fredriksson, one of the journalists, told The Local. “But (Disqus) also sent us data with coding that made it possible to identify people's email addresses.”
Disqus representatives have rushed to clarify that their systems have not been breached and that the email addresses haven’t been obtained from their systems.
They explained that the API services include the MD5 hashes of email addresses that allow customers to access other services such as Gravatar.
“This appears to be a targeted attack on a group of individuals using pattern matching of their activity across the web, associated with email addresses used by those individuals,” noted Disqus Vice President for Marketing Stephen Roy.
Following the revelations, the company will remove the MD5 email hashes from the API and disable the use of Gravatar.
Disqus says the journalists breached the company’s privacy regulations. However, Fredriksson argues that they haven’t used Diqus accounts to harvest the data so they haven’t agreed to any terms of service.
The journalists highlight that others might also be using their method to unmask anonymous commenters.