Wednesday, December 11, 2013

Disqus admits security flaw - MD5-hashes disabled

Disqus admits that the MD5 security flaw exists and has removed the function från their API, disabling Gravatar support. Using the API in the manner of Researchgruppen or their employees or contractors is a breach of Disqus privacy policy and the account has been terminated.

The complete statement from Disqus regardning the MD5 flaw is available on their website.
"Disqus offers an API service that includes MD5 hashes of email addresses in order to use Gravatar, a commonly used third party service that enables users to display a consistent avatar across platforms. This appears to be a targeted attack on a group of individuals using pattern matching of their activity across the web, associated with email addresses used by those individuals. [...] ​Further, we are disabling Disqus’ use of the Gravatar service and removing the MD5 hash email addresses from the API."
Help Net Security has an article about the flaw, in which I, Lars Wilderäng, is quoted from this blog. I must re-iterate that it was the security engineer David Remahl (@chmod007 on Twitter) who made the the security flaw public. I only spread the news when I discovered what I considered real news and a serious breach of privacy in Disqus. My Swedish blog is the largest independent (not affiliated with any employer, media house, political party or other outlet) Swedish blog on serious subjects (ie not fashion, celebrities or sports), mainly economy, finance, environment and politics, and as such news published by me can spread fast.

Ordinary Swedish journalists generally lack the technological know-how to understand the technology and the serious implications of security flaws, and I've been consulted, but not quoted, by journalists in several other related cases. Mainly the Snowden files and the fact that many Swedish government organisations, municipalities and companies are open for industrial espionage by using Google or Microsoft e-mail services, even for internal organisation mail, which NSA have full access to.

Industrial espionage is one of NSA:s tasks, and may be used in order to let american companies have an advantage when placing bids on contracts, as they may see other bidders offerings to for example Swedish government organisations. NSA may also get intimate knowledge of key individuals private lives, which also can be used to the advantage of US companies and foreign policy, for example by easier making friends with politicians by discussing their hobbies or favourite subjects when meeting informally. The man on the street may very well lose his job due to unfair competition practices on behalf of US companies cooperating with the NSA, but most people don't think they have anything to fear from the monitoring of the Internet.

Back in Sweden, the Bonnier Group tabloid Expressen is now publishing names of private individuals, not politicians, who have commented on hate speech sites, identified by the Disqus security flaw.

No comments:

Post a Comment