> EJMR has been used to expose multiple counts of plagiarism, corruption and serious professional misconduct that would not likely have been shared for fear of retaliation by their higher ups or colleagues. Indeed one of the co-authors of the paper had their own likely plagiarism exposed by anonymous EJMR users, calling into question the motivation for the study.
In doing the research they - random academics, not some nation state, or criminal organisation - were able to find that the posts were not anonymous, and extract the location of posters so it was not hard. They clearly informed the forum owner, because the forum owner fixed the issue (though notably did not tell anyone that their posts were not anonymous).
Now new users of ejmr can hopefully rely on actual anonymity, and existing users can know that in principle their posts could be partially de-anonymized (the IP is the external one, most organizations being described have you behind some kind of NAT so full identification is at best questionable imo).
Certainly the attack itself is not worth publishing: it's not in any way novel or interesting, the "anonymization" ejmr did was fundamentally broken from presumably day 1. Nothing the authors did here was new, novel, or complex - the only change is that what the cost of reversing has dropped from "a large organisation" to "a single PI's budget for a single paper" over 12 years.
We need to be very clear here: there is no part of the ejmr "anonymization" scheme that was correct for what they were trying to do. They did not salt the hash, the hash algorithm they used was considered deprecated a decade prior to ejmr existing, even the hash family they used is inappropriate for this purpose.
The reason for public disclosure of vulnerabilities is that the victims of those vulnerabilities need to know that they have been victims, and they need to know what information has been leaked by ejmr. Based on the actions ejmr took to change their hashing schema, it's fairly clear ejmr found out about the vulnerability (maybe the researchers told them, maybe the researchers were not unique in discovering this). But we also know that ejmr did not inform any of its users that ejmr had been leaking information about them for 12 years.
Which is why it is necessary to publish this information - if this paper did not detail how terrible ejmr's "anonymization" was, it's pretty clear ejmr would not have told its users, and as the HN and similar comments indicate, plenty of people would believe that breaking ejmr's system was too hard for anyone else to do.
I'm tired of repeating this: ejmr was not anonymous, their attempt at anonymization was trivially broken from day 1, and defeating the anonymization is absolutely trivial and is not remotely challenging - literally the only difficulty is how long vs how much money to spend.
