Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gravatars Can Leak Users' Email Addresses

Posted by kdawson on from the chatty-little-things dept.

abell writes "Gravatar offers a global avatar service, using an MD5 hash of the user's email as avatar ID. This piece of information in some cases is enough to retrieve the original email address. Testing a simple attack on stackoverflow.com, I was able to determine the email addresses of more than 10% of the site's users."

9 of 170 comments (clear)

  1. Public address by AlpineR · · Score: 4, Funny

    Here's my own Gravatar hash:

    b835b33911b93c136d8e61cbbbe6736d

    Who will be the first to crack it?

    1. Re:Public address by Yvan256 · · Score: 4, Funny

      Is it wagnerr@umich.edu?

    2. Re:Public address by edwebdev · · Score: 1, Funny

      Here's a Slashdot post that shows my e-mail address next to my username.

      Who will be the first to crack it?

      Fixed that for you.

    3. Re:Public address by palegray.net · · Score: 4, Funny

      I'm certain his email must be umich@wagnerr.edu. Now I just need to figure out why he's attending Wagner of all schools, and how the heck they managed to typo their own domain name.

      --
      512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    4. Re:Public address by grcumb · · Score: 4, Funny

      That took all of one second to find in an md5 lookup database. And thirty seconds for me to realize that I could have looked two lines higher to see it in plaintext next to your userid. :wallbash:

      Upside: You get to keep your geek card.

      Downside: You'll never survive the world outside your basement.

      8^)

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
  2. e9af4cb49c97162d6be3ea8c6ca90a46 by iSzabo · · Score: 2, Funny

    I actually *just* (20 minutes ago) put my picture up there. Can you guess my email ;)

    1. Re:e9af4cb49c97162d6be3ea8c6ca90a46 by Anonymous Coward · · Score: 3, Funny

      Your email is: tyler.szabo _AT_ gmail.com

      md5 -s "tyler.szabo@gmail.com"

      Nice job obfuscating his email in the first line.

  3. Re:So let's change the algorithm. by Anonymous Coward · · Score: 1, Funny

    I think you need to stop giving crypto advice for the day, it's not going very well.

  4. In the grand scheme of things this is pretty minor by Just+Brew+It! · · Score: 2, Funny

    It's not exactly big news that a system based on MD5 hashes is susceptible to dictionary-style attacks; this should be obvious to anyone who understands how hashes work. In order for this particular attack to work, the attacker already has to have some reasonable guesses as to what your e-mail address is; the Gravatar trick only confirms the address. So it seems to me that the amount of additional data leaked is fairly small.

    OTOH, I suppose I'm somewhat desensitized to this sort of thing, since I've had the same primary e-mail address for something like 15 years (going back to the days when I was rather active on Usenet). My e-mail address is already in every spammer database on the planet, so I don't see how a few more people knowing it could make things any worse!