Slashdot Mirror
Gravatars Can Leak Users' Email Addresses
abell writes "Gravatar offers a global avatar service, using an MD5 hash of the user's email as avatar ID. This piece of information in some cases is enough to retrieve the original email address. Testing a simple attack on stackoverflow.com, I was able to determine the email addresses of more than 10% of the site's users."
It's not, any hashing function would be subject to the same problem. If you RTFA you'll find that they just brute force combinations of the user name and common email domains.
To actually fix this would require not hashing (only) email address, you could mix in some secret salt with the email before hashing, or you could use encryption (with a secret key), or you could just hand out unique identifiers which are associated only in the Gravitar database. I don't know if any of these are feasible for this particular application though.
Game! - Where the stick is mightier than the sword!
The attack doesn't rely on MD5 itself or MD5 collisions. It would work no matter what hashing algorithm was used.
MD5 collisions actually don't help the attacker here, in fact, an MD5 collision would simply be a false positive for this case (the attacker thinks they've found the email address, but they haven't).
Game! - Where the stick is mightier than the sword!
And you didn't think of Gravitar instead? Kids these days...
http://en.wikipedia.org/wiki/Gravitar
I've looked through RFC822, and the inclusion of "+" in an email is not excluded, so it's perfectly legal. GMail's functional use of it, however (account+foo@gmail.com and account+bar@gmail.com both go to account@gmail.com, for easy tagging/filing) is just an implementation that takes advantage of the fact that most people do not have + signs in their email addresses.
The RFC is actually pretty promiscuous; it's only implementations of it that fall short. Did you know that apostrophes are legal in the username portion of the email address? Yet how many web sites do you think would allow you to sign up as "First_O'Last@mailserver.net"? Heck; it's amazing how many sites forbid the '+' sign that Google takes advantage of.
The CB App. What's your 20?
Not really, since the salt would need to be publicly known for Gravatar to work (and it would break any backwards compatibility to add it in now). This was a 'social engineering' attack, not a rainbow table lookup – it pieced the name together with common providers to find a matching MD5. Salt would just add a single extra step.
I believe it's exactly the same problem/attack as was brought up about MicroID in the past. The idea of Pavatar is a much better way to do this sort of avatar-finding (though the decentralisation comes with its own problems), since it relies on a public web address instead of a semi-private e-mail address.
It is, actually. If you don't include the -n option for echo, it will insert a \n to the string, changing the md5, which is the hash you got.
Wagner Computer Science program -- Page Not Found. Looks like that answered your question.
Heck; it's amazing how many sites forbid the '+' sign that Google takes advantage of
Here's what happened in hotmail when I tried to e-mail to [name]+bananas@hotmail.com
http://i49.tinypic.com/fbjh1j.png
I googled that odd character and it seems to be Chinese
Hotmail treats the "send a message from one of your disposable addresses" generated by Spamgourmet as a typo.
[Fuck Beta]
o0t!
Bolex make [motion picture] cameras, not watches, and were very important in the early television news reels. Even today they are a staple in film schools.
1) register as a website with gravatar, find out how long the salt is
2) register on stackoverflow with your email address
3) enumerate the possibilities until you find the hash of your own address and therefore the salt
4) extract 8000+ emails from stackoverflow
5) repeat for other sites
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter