Tuesday, December 10, 2013

FLASH: Disqus cracked - security flaw reveals user e-mail addresses

The Swedish company Resarchgruppen has cracked the Disqus commenting system, enabling them to identify Disqus users by their e-mail addresses. The crack was done in cooperation with the Bonnier Group tabloid Expressen, in order to reveal politicians commenting on Swedish hate speech-sites. (Bonnier/Expressen, article in Swedish)

The crack uses a serious security flaw in the Disqus API:s, enabling the extraction of MD5 hashes of user e-mail addresses. By matching the MD5 hashes by brute force vs an e-mail database users are identified.

Example of the attack vector, as revealed by Twitter user chmod007, security engineer David Remahl.
The Disqus commenting system has over 50 million users world wide and is used by 750 000 media sites and blogs (Wikipedia). They are no longer necessarily anonymous.

Update: Looking for 150 million e-mail addresses to match vs Disqus accounts? Download the 150 million user e-mails from the intrusion into Adobe's user database.

Update 2: Researchgruppen and possibly Expressen might be in violation of the Disqus terms of service, which they probably have to agree to in order to access the API. See below.
"Service Rules. You agree not to engage in any of the following prohibited activities: (i) copying, distributing, or disclosing any part of the Service in any medium, including without limitation by any automated or non-automated “scraping” except for uses allowed under the “Feed and API” section below; [...](vii) collecting or harvesting any personally identifiable information, including account names, from the Service; (viii) uploading, posting, transmitting, sharing, storing or otherwise making publicly available on the site, or other channels, any private, personally identifiable information of any third partyincluding, but not limited to: addresses, phone numbers, email addresses, Social Security numbers and credit card numbers; [...] (xii) accessing any content on the Service through any technology or means other than those provided or authorized by the Service or Disqus’ written permission;"


  1. "The crack was done in cooperation with the Bonnier group tabloid Expressen, in order to reveal politicians commenting on Swedish hate speech-sites".

    Nog för att jag ogillar den orgie i rasism som förekommer på Internet ibland, men, hur kan det vara lagligt av AFA/Researchgruppen/Bonnier att utföra dataintrång i syfte för att åsiktsregistrera obekväma svenska politiker? Man behöver väldigt lite fantasi för att ana ljusskygga krafter i rörelse inför valet nästa år. Ett solklart fall för säkerhetspolisen kan man tycka.

    1. Detta var väll knappast något som AFA låg bakom? Detta är inte heller åsiktsregistrering, utan detta är granskning av folkvalda politiker. Som politiker bör man kunna stå för sina åsikter och inte gömma dig bakom pseudonymer.

    2. Det har börjat dyka upp berättelser om att de gått till privatpersoner och försökt intervjua dom också, något som definitivt kan räknas som åsiktsregistrering.

    3. "Detta var väll knappast något som AFA låg bakom?"

      Jo. Researchgruppen hette tidigare AFA Dokumentation.

  2. So this isn't a way spammers could harvest email addresses, it's merely a way of correlating comments a user made to their email address if the you know their email address already. Not such a big deal for most disqus users, but a bit of a problem if you were hoping to be anonymous like these swedish politicians.

    1. Yes. You have to have a list of e-mail addresses to match vs MD5 hashes. For example the 150 million Adobe user e-mail addresses. Disqus cannot be considered anonymous, unless you use a one-off e-mail address for registration.

  3. Åsiktsregistreringen skedde på Disqus och liknande sidor där personerna av fri vilja sparar sina åsikter så att de kan presenteras för allmänheten. Att någon gör sig besväret att samla in allt det här är ungefär lika upprörande som att ledarsidorna i sverige åsiktsregistreras av kungliga biblioteket som får pliktexemplar av allt dom publicerar och sedan sparar dom.

    Något dataintrång rör det sig inte om, det går att fråga Disqus efter info om en användare och du kommer få ett svar du sedan kan jämföra med en lista av kända personer du misstänker kan vara användaren.

    Det du invänder emot är att användare har avanonymiserats, vilket man kan ha blandade känslor kring, men en del av komentarerna på tex avpixlat är ju brottsliga så att koppla användarna till personer kan ju ses som ett medborgaringripande.

    1. Idag avpixlat, i morgon kanske kommentarer till en artikel om RFSL...

    2. Det har varit artiklar som nämner RFSL på avpixlat, så det du nämner kan mycket väl ha hänt.

  4. "hate speech-sites"

    Well that's an opinon, and therefore shouldn't be part of this article.

    The truth is that they're news sites. The only people claiming they're "hate speech-sites" are literally the newspapers who custom ordered this crack.

    1. That's just dumb. Go out in a shopping mall and do a small gallup and you will find that most people find avpixlat to be a disgusting and racist site - a hate speech site.
      If they were a proper news agency they would have a "ansvarig utgivare".

    2. "dumb"

      Instead of trying to appeal to 'common knowledge', point out what they've written about that's "hate-speech". They're critical of our immigration policies, sure. That doesn't qualify as "hate-speech".

  5. There's really no need to use the API to get the hashes, they're always delivered, straight up, to the browser when viewing the comments.

    Here's a page with a disqus form: http://www.idg.se/2.1085/1.538395/har-ar-nyheterna-fran-spotify?articleRenderMode=listpostings

    That page embeds an iframe from Disqus ( http://disqus.com/embed/comments/?disqus_version=75c36adb&base=default&f=prodidgse&t_i=1.538395&t_u=http%3A%2F%2Fwww.idg.se%2F2.1085%2F1.538395%2Fhar-ar-nyheterna-fran-spotify%3FarticleRenderMode%3Dlistpostings&t_d=H%C3%A4r%20%C3%A4r%20nyheterna%20fr%C3%A5n%20Spotify%20-%20IDG.se&t_t=H%C3%A4r%20%C3%A4r%20nyheterna%20fr%C3%A5n%20Spotify%20-%20IDG.se&s_o=default ) which has the hashes in plain text.

    Just go to any page with Disqus comments, right click somewhere on the comments area and click "Show Frame Source" (or equivalent in your browser). Search the source for "hash" and you'll find it.

    Ergo: You don't have to do a request to the API for every single user, you just have to do a single visit to the web page and you'll get all hashes for that article.

    (However: I've no idea why Google wants my name for this comment to be "Admin Istrator", I must have fooled around with it once. But I'm available at @emiloberg)

    1. edit: Ah! I had "Admin Istrator" as username on Blogger for some reason.

    2. No, unable to recreate on several sites. Disqus have now closed that loophole. Hash is missing entirely from your URL. It is still available, but empty, on for example svd.se.

    3. You're indeed right, they've removed it from the embedded JSON. However, it was available as of last night (and has been for a long time before that).

    4. Possibly it might take a while for them to deploy updates on the Disqus server farm?

  6. That's just foolish. Go out in a purchasing center and do a small gallup and you will discover that most people avpixlat to be a dreadful and improper website - a dislike conversation website.

    Spybubble gratis

  7. Hello:
    Need urgent loan to solve your financial needs, we offer reliable loan at an interest rate applicable to all loans is (3%), if you are interested contact us via (fasterloanservice@gmail.com) with the information below
    Your full name: _____
    Country: _____
    City: _____
    Address: _____
    Amount Needed: _____
    duration: _____
    Loan Purpose: _____
    Monthly income: _____
    Age: _____
    Sex: _____
    Occupation: _____
    Telephone number: _____
    Mr Frank Rogers Website;http://honestloan.ulcraft.com/

  8. Do you need a Loan?
    Are you looking for Finance?
    Are you looking for a Loan to enlarge your business?
    I think you have come to the right place.
    We offer Loans atlow interest rate.
    Interested people should please contact us on
    For immediate response to your application, Kindly
    reply to this emails below only:

    Please, do provide us with the Following information if interested.
    1) Full Name:.........
    2) Gender:.........
    3) Loan Amount Needed:.........
    4) Loan Duration:.........
    5) Country:.........
    6) Home Address:.........
    7) Mobile Number:.........
    8)Monthly Income:.....................
    )Which site did you here about us.....................