Forgot your password?
typodupeerror
Security Social Networks

Gravatars Can Leak Users' Email Addresses 170

Posted by kdawson
from the chatty-little-things dept.
abell writes "Gravatar offers a global avatar service, using an MD5 hash of the user's email as avatar ID. This piece of information in some cases is enough to retrieve the original email address. Testing a simple attack on stackoverflow.com, I was able to determine the email addresses of more than 10% of the site's users."
This discussion has been archived. No new comments can be posted.

Gravatars Can Leak Users' Email Addresses

Comments Filter:
  • by AlpineR (32307) <wagnerr@umich.edu> on Wednesday December 16, 2009 @01:33AM (#30454270) Homepage

    Here's my own Gravatar hash:

    b835b33911b93c136d8e61cbbbe6736d [gravatar.com]

    Who will be the first to crack it?

  • by Mathinker (909784) on Wednesday December 16, 2009 @01:35AM (#30454280) Journal

    Can anyone tell me if the "you can add extra stuff after a +" that GMail lets you do is standard in the RFC for all email addresses? If it is, to "fix" this, if you should sign up to Gravatar with an email address using a random string after an added "+" the brute force search on hashes will be much, much harder. (Assuming that your email provider is implementing that part of the standard.)

    • Re: (Score:3, Informative)

      by bennomatic (691188)
      I've looked through RFC822, and the inclusion of "+" in an email is not excluded, so it's perfectly legal. GMail's functional use of it, however (account+foo@gmail.com and account+bar@gmail.com both go to account@gmail.com, for easy tagging/filing) is just an implementation that takes advantage of the fact that most people do not have + signs in their email addresses.

      The RFC is actually pretty promiscuous; it's only implementations of it that fall short. Did you know that apostrophes are legal in the u
      • Re: (Score:3, Informative)

        by TubeSteak (669689)

        Heck; it's amazing how many sites forbid the '+' sign that Google takes advantage of

        Here's what happened in hotmail when I tried to e-mail to [name]+bananas@hotmail.com
        http://i49.tinypic.com/fbjh1j.png [tinypic.com]
        I googled that odd character and it seems to be Chinese [google.com]

        Hotmail treats the "send a message from one of your disposable addresses" generated by Spamgourmet as a typo.

        • I don't hold out much hope for slashdot not breaking this link, but here goes: http://translate.google.com/#zh-CN|en| [google.com]

          Did you see the images part of your google search? Seems one of the meanings (a verb) is used more than the others...

          (if I need to be less subtle, the image search for that character is NSFW)

        • by vegiVamp (518171)
          Of course. Microsoft's entire OS is based around the tenet that users are stupid and will make mistakes all the time, which the software should transparently correct for them.
      • by QuoteMstr (55051)

        To be fair, sub-addressing (using both the '-' and '+' characters) was around well before the creators of Google graduated from high school.

      • by pjt33 (739471)

        Did you know that apostrophes are legal in the username portion of the email address? Yet how many web sites do you think would allow you to sign up as "First_O'Last@mailserver.net"?

        I recently sent an e-mail to a firstname.o'connell@host.gov.uk (no need to let her get random spam) in order to submit my response to a consultation the British Civil Service is making on policy relating to voter registration. Crossed my fingers and sent it via gmail.

      • by russotto (537200)

        I've looked through RFC822, and the inclusion of "+" in an email is not excluded, so it's perfectly legal. GMail's functional use of it, however (account+foo@gmail.com and account+bar@gmail.com both go to account@gmail.com, for easy tagging/filing) is just an implementation that takes advantage of the fact that most people do not have + signs in their email addresses.

        It's a common convention that has been around at least since the '90s and probably earlier; I don't know where it started. I use underscores

  • Unless I'm missing something, the article can be summarized: "Guess the person's email address, check if the md5 hash of the address you guessed matches the Gravatar. If it matches you guessed correctly."

    Nothing to see here. Move along...

    In other news, all password hashes can eventually be cracked by brute force... Oh noes!

    • Exactly. Not like it matters anyway. I even post my email up on my website so people can like, you know, email me!

    • by icepick72 (834363)
      Except that the said mechanism provides a sure way to verify that an email address exists. Once an addy is correctly guessed the user cannot pretend to hide by not responding to resulting spam, because that account is *known* to exist prior to spamming (not a shot in the dark like most spam attempts) And it's known for sure because StackOverflow requires a valid email address when a user signs up for an account - to carry out StackOverflow account verification through an email link sent to the user for clic
  • ...I thought "Gravatar" was a new theoretical exotic particle, like a Graviton, especially when used with the following "can leak", but this actually makes more sense - sort of - though I don't know if "leak" is the best verb here. In any case, I gotta stop reading science journals late at night.
  • by gman003 (1693318)
    Do you consider your email address private info, need-to-know only? With a decent spam filter and easy-to-use block features, it really isn't a problem. I provide mine to pretty much anyone who asks. The only thing I do is keep it in a non-scrapable format, to keep it from getting on too many spam lists.
    • by u38cg (607297)
      Having now exposed my current email publicly for ~6 years now, I have come to the conclusion that spammers don't, mostly, screenscrape or trade addresses. I used to post a fair bit on Usenet and I am fairly sure most of the spam I get is from spammers who picked up my email address there. I now typically get about 3-400 spam per month, which is a pretty reasonable trade-off for transparency.
      • > I used to post a fair bit on Usenet and I am fairly sure most of the spam I
        > get is from spammers who picked up my email address there.

        I still post a fair bit on Usenet. Most of the spam I get is not from spammers who picked up my email address there.

  • I actually *just* (20 minutes ago) put my picture up there. Can you guess my email ;)

    • I'm not sure if you were sarcastic or not, but your email address is at gmail, and I'm gonna mention Fight Club, and there's no I in team. Do you want me to post your email address more plainly?

      So, yeah, posting email hashes is only a little bit safer than posting the full text.

    • by Anonymous Coward on Wednesday December 16, 2009 @02:31AM (#30454584)

      Your email is: tyler.szabo _AT_ gmail.com

      md5 -s "tyler.szabo@gmail.com"
      MD5 ("tyler.szabo@gmail.com") = e9af4cb49c97162d6be3ea8c6ca90a46

      For bonus points, your name is Tyler Szabo, you go to University of Waterloo and plan on graduating in 2011. You work at Amazon. You are in a relationship with a Kaylan Elizabeth L. (last name withheld as a courtesy, I'm sure you know who I mean :) ).

      I found out you registered this, looked up your avatar on Gravatar, found you on Stack Overflow which gave me your real name (searched for Szabo assuming that was something to do with you). Using this, I looked you up on Facebook, Twitter, and various other sites. Your single avatar helped me link everything together. Once I had your real name from Stack Overflow it became easy.

      Good times. Perhaps this reveals another security vulnerability? One avatar links -ALL- your social networking.

      I also have your parents, previous employers, etc, but won't post those here :)

      • Re: (Score:3, Funny)

        by Anonymous Coward

        Your email is: tyler.szabo _AT_ gmail.com

        md5 -s "tyler.szabo@gmail.com"

        Nice job obfuscating his email in the first line.

  • by topham (32406) on Wednesday December 16, 2009 @02:12AM (#30454500) Homepage

    Use your email address with "+randomsequence"@

    Randomsequence will have to be consistent between the user and the sites they want the gravatar to work at, but it will generate an MD5 hash different than their actual address; yet if the site sends email to the user with it the user will receive it.

  • by bcrowell (177657) on Wednesday December 16, 2009 @02:19AM (#30454524) Homepage

    But is this significantly easier than other methods of harvesting email addresses? Spammers already do dictionary attacks on big providers like yahoo. It's not clear to me that this method is a better way of generating a list of email addresses. If you carry out a dictionary attack on yahoo.com, you're going to come up with probably tens of millions of valid email addresses. If you carry out this attack on gravatar.com, how many addresses are you going to get for your trouble? 10% of gravatar's users, apparently -- which I'm guessing is not really that big a number. Remember, once a spammer has a botnet, it costs him zero to send out one more spam to test whether a particular address is valid. Therefore the dictionary attack is free.

    The defense against dictionary attacks is also exactly the same as the defense against this attack: either don't use a big email provider, or use a big email provider but pick a username that has a lot of characters (so it's not vulnerable to brute-forcing) and is also not vulnerable to dictionary attacks.

  • Not A Bug (Score:3, Insightful)

    by lhunath (1280798) <lhunathNO@SPAMlyndir.com> on Wednesday December 16, 2009 @02:39AM (#30454618) Homepage

    Email addresses are usernames. They are not secret information. If somebody can be bothered enough to find your email address through brute-forcing the MD5 hash of it; you've got bigger problems.

    Far more than "10% of stackoverflow.com's users" can have their email addresses GUESSED far faster. Likely your email address is also FAR easier to establish through a simple Google search on your pseudonyms.

    If you for some odd reason want your email address to be secret; for the same name as wanting a secret pseudonym or using a false name when signing up; register a fake email address instead (and set it up for forwarding). You're giving your email address in clear text to the site's owner and all the internet hops inbetween him and you ANYWAY.

    It's important to learn to distinguish between what is a secret and what is not; and if you want to make things secret, at what level you should put your trust.

    • by ukyoCE (106879)

      I'd disagree. Every site I can think of off the top of my head uses e-mail addresses and usernames as separate entities if the username is public. For instance netflix uses e-mail addresses to login, but they have you create a separate username for posting reviews and other shared/social parts of the site. Likewise slashdot makes sharing your e-mail address optional. And even the site in question tried to hide the e-mail address, they just did a very poor job of it.

  • What if Gravatar published a public key, and sites displaying Gravatars pointed their image links to encrypt(gravatar_id + random_salt)? It seems like this would solve the problem, since people viewing the page can't get access to the users' real Gravatar IDs. Sure, the forum sites would still see your Gravatar ID, but they already have your email address in the first place.

    • by Kijori (897770)

      Two points.

      Firstly, the image files can't be static if you're using the salt, since the gravatar backend would have to remove it and look up the gravatar_id; this would increase running costs for gravatar by a considerable amount. Second, if you're using a gravatar_id why bother with the encryption? As long as there's no way for the gravatar ID to be resolved back to an email address it doesn't matter if people know it, especially since knowing the encrypted version would necessarily be functionally identic

  • It's not exactly big news that a system based on MD5 hashes is susceptible to dictionary-style attacks; this should be obvious to anyone who understands how hashes work. In order for this particular attack to work, the attacker already has to have some reasonable guesses as to what your e-mail address is; the Gravatar trick only confirms the address. So it seems to me that the amount of additional data leaked is fairly small.

    OTOH, I suppose I'm somewhat desensitized to this sort of thing, since I've had the

  • Could provide an API (Score:2, Interesting)

    by Mathinker (909784)

    From Gravatar's FAQ:

    MD5 isnt strong enough encryption, they’ve cracked that havent they?

    MD5 is plenty good for obfuscating the email address of users across the wire. if you’re thinking of rainbow tables, those are all geared at passwords (which are generally shorter, and less globally different from one another) and not email addresses, furthermore they are geared at generating anything that matches the hash, NOT the original data being hashed. If you are thinking about being able to reproduce a collision, you still don’t necessarily get the actual email address being hashed from the data generated to create the collision. In either case the work required to both construct and operate such a monstrocity would be prohibitively costly. If we left your password laying around in the open as a plain md5 hash someone might be able to find some data (not necessarily your password) which they could use to log in as you... Leaving your email address out as an md5 hash, however, is not going to cause a violent upsurge in the number of fake rolex watch emails that you get. Lets face it there are far more lucrative, easier, ways of getting email address. I hope this helps ease your mind.

    So, they might have already thought about this vulnerability and dismissed it as not interesting.

    They could still fix their concept by providing an API where a website wanting to discover the avatar for a given email first hashes the email with MD5 and then the Gravatar URL which is generated redirects them to a link to the image (which contains no information about the email address, or perhaps uses a salted [wikipedia.org] hash). This, in conjunction with rate limiting the number of queries per websit

  • Some email providers have a simple way of giving you a throw away id. E.g example+slashdotnospam@gmail.com is sent to example@gmail.com.

    Say my name is Lary Page. If my email id is lary.page@gmail.com, I can still protect myself so that you will never get my email id.

    MD5 (lary.page@gmail.com) = "1b8dbe98e2b1138fd3ba34e26fc55107".

    So I provide my email id as lary.page+1b8dbe98e2b1138fd3ba34e26fc55107@gmail.com. If I gave you the md5 of that id, you'll find it hard to get back to lary.page@gmail.com.

    Try, the

  • I think most of us figured out this possibility within 30 seconds of seeing how Gravatar worked.

    One solution would be to have a private salt known only to Gravatar and the implementing website. Gravatar could determine the correct salt to use base on the referrer.

    Of course this would mean each subscriber would need to be hashed against each salt in the Gravatar database.

    In either case, I don't think it's really that big a deal.

  • Call me when he finds a way to determine the email after gravatar starts adding a pinch of salf to the hashed emails...

  • Who cares? (Score:2, Interesting)

    by johny42 (1087173)

    Using &#64; instead of @ is enough to stop most e-mail harvesting bots, I don't see them brute-forcing MD5s any time soon.

  • Is obvious for everyone that understand how it work.
    Geez...

    As the email of Gave (from Valve) is well know, and gravatars can be used in a pseudoanonymous way, I tried to search internet for the hash of is email in images.google.com. Not found. Either Gabe don't talk in forums gravatar powered, or he use a different email address.

    So, If you use gravatars, and other people know your email, can search your post. This is obvious from the use of md5. With your addres hashed with md5 spamm bots can't collect addr

  • That's why I use a new hotmail address usually made with the sites name and my own to keep logs of everything that comes from there, so if anything is compromised, then I know usually where it comes from. Also I have no worries someone gets my address as it is irrelevant seeing as it is not my real one.

  • The important part of the trick is that you have to assume the email address is the same as the username and then compare the hashes of that name @yahoo.com, @hotmail.com, @gmail.com, and other popular email services. Because people that use those webmail addresses have never received spam before.

    If any spammer did try this, I would expect them to be very pissed off to discover that after all that work they already had 99% or more of those addresses to begin with.

  • If your email address is common-word@famousprovider.com, then the spammers have already put your email address into their lists. Why not? They don't care if 95% of the mail they send bounces, and they don't care if they target any specific person, the "hit" rate they need to make a profit is is negligible. I see spam attempts to thousands of never-existed addresses on my colo, and my home domain is pretty damn obscure. I'm sure Gmail gets hits from aaron.aardvark through zephram.zymurgy continually.

Recursion is the root of computation since it trades description for time.

Working...