Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gravatars Can Leak Users' Email Addresses

Posted by kdawson on from the chatty-little-things dept.

abell writes "Gravatar offers a global avatar service, using an MD5 hash of the user's email as avatar ID. This piece of information in some cases is enough to retrieve the original email address. Testing a simple attack on stackoverflow.com, I was able to determine the email addresses of more than 10% of the site's users."

2 of 170 comments (clear)

  1. Re:So let's change the algorithm. by geekpowa · · Score: 5, Informative

    The attack doesn't rely on MD5 itself or MD5 collisions. It would work no matter what hashing algorithm was used.

  2. Re:So let's change the algorithm. by DrSkwid · · Score: 4, Informative

    1) register as a website with gravatar, find out how long the salt is
    2) register on stackoverflow with your email address
    3) enumerate the possibilities until you find the hash of your own address and therefore the salt
    4) extract 8000+ emails from stackoverflow
    5) repeat for other sites

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter