Little vulnerability I found on Disqus a while back when adding a new moderator to a site.

This is fairly basic, but is a really good example of how a simple thing can have large implications.

Note: this was reported to Disqus immediately on July 9th 2013, and was promptly fixed.

Effect

Discover any user’s email address using only their username.

Impact

This vulnerability could have allowed an attacker to automatically scrape all Disqus users and build a database of their usernames, avatars and email addresses. This could have been used for a very effective phishing attack or maybe even sold to a rival company for them to market directly to their competitor’s users.

Details

This one is simple, setup a new website in Disqus and find the “Add Moderators” page.

Enter the username of any user you wish to know the email address of into this page.

This would have:

  • grant the user moderation access to your pretend website
  • not email them
  • reveal their username, avatar and full email address to you

Solution

Disqus no longer shows you the email address of your moderators.