Gravatars Can Leak Users' Email Addresses 170
abell writes "Gravatar offers a global avatar service, using an MD5 hash of the user's email as avatar ID. This piece of information in some cases is enough to retrieve the original email address. Testing a simple attack on stackoverflow.com, I was able to determine the email addresses of more than 10% of the site's users."
Re:So let's change the algorithm. (Score:3, Interesting)
It's quite well known that MD5 shouldn't be used for anything privacy related, given the fact that it's been exploited quite publicly in recent history.
An email address isn't private... I suspect that MD5 was just a convenient way to get a fixed length id. I'd be more worried about collisions, but i'm too lazy to calculate how many avatars would be required before that might become a problem.
easier than other methods? (Score:3, Interesting)
But is this significantly easier than other methods of harvesting email addresses? Spammers already do dictionary attacks on big providers like yahoo. It's not clear to me that this method is a better way of generating a list of email addresses. If you carry out a dictionary attack on yahoo.com, you're going to come up with probably tens of millions of valid email addresses. If you carry out this attack on gravatar.com, how many addresses are you going to get for your trouble? 10% of gravatar's users, apparently -- which I'm guessing is not really that big a number. Remember, once a spammer has a botnet, it costs him zero to send out one more spam to test whether a particular address is valid. Therefore the dictionary attack is free.
The defense against dictionary attacks is also exactly the same as the defense against this attack: either don't use a big email provider, or use a big email provider but pick a username that has a lot of characters (so it's not vulnerable to brute-forcing) and is also not vulnerable to dictionary attacks.
Re:So let's change the algorithm. (Score:4, Interesting)
Re:e9af4cb49c97162d6be3ea8c6ca90a46 (Score:5, Interesting)
Your email is: tyler.szabo _AT_ gmail.com
md5 -s "tyler.szabo@gmail.com"
MD5 ("tyler.szabo@gmail.com") = e9af4cb49c97162d6be3ea8c6ca90a46
For bonus points, your name is Tyler Szabo, you go to University of Waterloo and plan on graduating in 2011. You work at Amazon. You are in a relationship with a Kaylan Elizabeth L. (last name withheld as a courtesy, I'm sure you know who I mean :) ).
I found out you registered this, looked up your avatar on Gravatar, found you on Stack Overflow which gave me your real name (searched for Szabo assuming that was something to do with you). Using this, I looked you up on Facebook, Twitter, and various other sites. Your single avatar helped me link everything together. Once I had your real name from Stack Overflow it became easy.
Good times. Perhaps this reveals another security vulnerability? One avatar links -ALL- your social networking.
I also have your parents, previous employers, etc, but won't post those here :)
Could provide an API (Score:2, Interesting)
From Gravatar's FAQ:
MD5 isnt strong enough encryption, they’ve cracked that havent they?
MD5 is plenty good for obfuscating the email address of users across the wire. if you’re thinking of rainbow tables, those are all geared at passwords (which are generally shorter, and less globally different from one another) and not email addresses, furthermore they are geared at generating anything that matches the hash, NOT the original data being hashed. If you are thinking about being able to reproduce a collision, you still don’t necessarily get the actual email address being hashed from the data generated to create the collision. In either case the work required to both construct and operate such a monstrocity would be prohibitively costly. If we left your password laying around in the open as a plain md5 hash someone might be able to find some data (not necessarily your password) which they could use to log in as you... Leaving your email address out as an md5 hash, however, is not going to cause a violent upsurge in the number of fake rolex watch emails that you get. Lets face it there are far more lucrative, easier, ways of getting email address. I hope this helps ease your mind.
So, they might have already thought about this vulnerability and dismissed it as not interesting.
They could still fix their concept by providing an API where a website wanting to discover the avatar for a given email first hashes the email with MD5 and then the Gravatar URL which is generated redirects them to a link to the image (which contains no information about the email address, or perhaps uses a salted [wikipedia.org] hash). This, in conjunction with rate limiting the number of queries per website, could provide a relatively secure way to do what they want.
Re:e9af4cb49c97162d6be3ea8c6ca90a46 (Score:1, Interesting)
Yes, you're smart to figure all that out.
But then you do not have to leave slashdot to solve the riddle:
by iSzabo (1392353) on Wednesday December 16, @01:04AM (#30454460)
I don't know if Facebook keeps track of visitors to ones profile (some networks do), but possible tyler can now guess who you are as well.
- 043dc29be78d00413a3da8611fd93451
Who cares? (Score:2, Interesting)
Using @ instead of @ is enough to stop most e-mail harvesting bots, I don't see them brute-forcing MD5s any time soon.
Not the algorithm (Score:3, Interesting)
This is not related to the MD5 algorithm or use of salts. The fact is that Gravatar wants sites to use Gravatar without sending loads of requests to gravatar.com. Therefore Gravatar must provide a "client-side" API for generating Gravatar avatar URLs based on the known constant, email addresses. Sure, they could have salted things, but whatever they do, there's an essentially open source function somewhere that takes an email address and converts it to a Gravatar URL. As the algorithm is available to anyone, any attack can use it to check intelligent guesses against the known algorithm result.
There really isn't anything Gravatar can do without changing their design to decouple avatar URLs from email addresses. Basically whenever anyone registers an account with a blog, the site would have to ask Gravator for the user's Gravatar avatar URL -- and probably poll on some regular basis in case users add Gravatar avatars later. The blog would then have to pertain this data in their databases for later look-up when comments are viewed. This is certainly possible, and could probably be designed in a way that doesn't add additional load to Gravatar's servers. But compared to the current implementation, which can be added to blogs with very minimal coding (probably just a couple lines in PHP), to do this more safely would require persistence-layer/database schema changes that would severely limit the attractiveness of Gravatar.