Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gravatars Can Leak Users' Email Addresses

Posted by kdawson on Tuesday December 15, 2009 @05:20PM from the chatty-little-things dept.

abell writes "Gravatar offers a global avatar service, using an MD5 hash of the user's email as avatar ID. This piece of information in some cases is enough to retrieve the original email address. Testing a simple attack on stackoverflow.com, I was able to determine the email addresses of more than 10% of the site's users."

1 of 170 comments (clear)

Min score:

Reason:

Sort:

Re:So let's change the algorithm. by geekpowa · 2009-12-15 17:36 · Score: 5, Informative

The attack doesn't rely on MD5 itself or MD5 collisions. It would work no matter what hashing algorithm was used.