Gravatars Can Leak Users' Email Addresses

Gravatars Can Leak Users' Email Addresses 170

Posted by kdawson on Wednesday December 16 2009, @01:20AM
from the chatty-little-things dept.

abell writes "Gravatar offers a global avatar service, using an MD5 hash of the user's email as avatar ID. This piece of information in some cases is enough to retrieve the original email address. Testing a simple attack on stackoverflow.com, I was able to determine the email addresses of more than 10% of the site's users."

This discussion has been archived. No new comments can be posted.

Gravatars Can Leak Users' Email Addresses

Search 170 Comments Log In/Create an Account

Comments Filter:

Public address (Score:5, Funny)

by AlpineR (32307) writes: <wagnerr@umich.edu> on Wednesday December 16 2009, @01:33AM (#30454270) Homepage

Here's my own Gravatar hash:
b835b33911b93c136d8e61cbbbe6736d [gravatar.com]
Who will be the first to crack it?

Share
twitter facebook
Re:Public address (Score:5, Funny)

by Yvan256 (722131) writes: on Wednesday December 16 2009, @01:36AM (#30454286) Homepage Journal

Is it wagnerr@umich.edu?

Parent Share
twitter facebook
Re:Public address (Score:2, Funny)

by edwebdev (1304531) writes: on Wednesday December 16 2009, @01:38AM (#30454310)

Here's a Slashdot post that shows my e-mail address next to my username.

Who will be the first to crack it?

Fixed that for you.

Parent Share
twitter facebook
Re:Public address (Score:5, Funny)

by palegray.net (1195047) writes: <`ten.yargelap' `ta' `sidarap.pilihp'> on Wednesday December 16 2009, @01:41AM (#30454334) Homepage Journal

I'm certain his email must be umich@wagnerr.edu. Now I just need to figure out why he's attending Wagner [wagner.edu] of all schools, and how the heck they managed to typo their own domain name.

Parent Share
twitter facebook
e9af4cb49c97162d6be3ea8c6ca90a46 (Score:2, Funny)

by iSzabo (1392353) writes: <tyler.szabo@COWgmail.com minus herbivore> on Wednesday December 16 2009, @02:04AM (#30454460)

I actually *just* (20 minutes ago) put my picture up there. Can you guess my email ;)

Share
twitter facebook
Re:Public address (Score:5, Funny)

by grcumb (781340) writes: on Wednesday December 16 2009, @02:11AM (#30454492) Homepage Journal

That took all of one second to find in an md5 lookup database. And thirty seconds for me to realize that I could have looked two lines higher to see it in plaintext next to your userid. :wallbash:
Upside: You get to keep your geek card.
Downside: You'll never survive the world outside your basement.
8^)

Parent Share
twitter facebook
Re:So let's change the algorithm. (Score:1, Funny)

by Anonymous Coward writes: on Wednesday December 16 2009, @03:13AM (#30454732)

I think you need to stop giving crypto advice for the day, it's not going very well.

Parent Share
twitter facebook
In the grand scheme of things this is pretty minor (Score:2, Funny)

by Just Brew It! (636086) writes: on Wednesday December 16 2009, @03:47AM (#30454840)

It's not exactly big news that a system based on MD5 hashes is susceptible to dictionary-style attacks; this should be obvious to anyone who understands how hashes work. In order for this particular attack to work, the attacker already has to have some reasonable guesses as to what your e-mail address is; the Gravatar trick only confirms the address. So it seems to me that the amount of additional data leaked is fairly small.
OTOH, I suppose I'm somewhat desensitized to this sort of thing, since I've had the same primary e-mail address for something like 15 years (going back to the days when I was rather active on Usenet). My e-mail address is already in every spammer database on the planet, so I don't see how a few more people knowing it could make things any worse!

Share
twitter facebook
Re:e9af4cb49c97162d6be3ea8c6ca90a46 (Score:3, Funny)

by Anonymous Coward writes: on Wednesday December 16 2009, @10:20AM (#30457174)

Your email is: tyler.szabo _AT_ gmail.com
md5 -s "tyler.szabo@gmail.com"
Nice job obfuscating his email in the first line.

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Gravatars Can Leak Users' Email Addresses 170

Gravatars Can Leak Users' Email Addresses More Login

Gravatars Can Leak Users' Email Addresses

Public address (Score:5, Funny)

Re:Public address (Score:5, Funny)

Re:Public address (Score:2, Funny)

Re:Public address (Score:5, Funny)

e9af4cb49c97162d6be3ea8c6ca90a46 (Score:2, Funny)

Re:Public address (Score:5, Funny)

Re:So let's change the algorithm. (Score:1, Funny)

In the grand scheme of things this is pretty minor (Score:2, Funny)

Re:e9af4cb49c97162d6be3ea8c6ca90a46 (Score:3, Funny)

Related Links Top of the: day, week, month.

Slashdot