Crypto weakness in Web comment system exposes hate-mongering politicians

Investigative journalists have exploited a cryptographic weakness in a third-party website commenting service to expose politicians and other Swedish public figures who left highly offensive remarks on right-wing blogs, according to published reports.

People have been warning of the privacy risk posed by Gravatar, short for Globally Recognized Avatar, since at least 2009. That's when a blogger showed he was able to crack the cryptographic hashes the behind-the-scenes service uses to uniquely identify its users. The Gravatar hashes, which are typically embedded in any comment left on millions of sites that use the avatar service, are generated by passing a user's e-mail address through the MD5 cryptographic function. By running guessed e-mail addresses through the same algorithm and waiting for output that matches those found in comments, it's possible to identify the authors, many of whom believe they are posting anonymously.

According to a post published Wednesday by IDG News, that's precisely the hack the Swedish publication Expressen, working with an investigative journalism group, carried out to expose the public figures who participated in the right-wing forums. According to an English translation of this article: "It is the hatred of immigrants that ties [the participants] together."

Read 7 remaining paragraphs | Comments