Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gravatars Can Leak Users' Email Addresses

Posted by kdawson on from the chatty-little-things dept.

abell writes "Gravatar offers a global avatar service, using an MD5 hash of the user's email as avatar ID. This piece of information in some cases is enough to retrieve the original email address. Testing a simple attack on stackoverflow.com, I was able to determine the email addresses of more than 10% of the site's users."

2 of 170 comments (clear)

  1. Re:So let's change the algorithm. by geekpowa · · Score: 5, Informative

    The attack doesn't rely on MD5 itself or MD5 collisions. It would work no matter what hashing algorithm was used.

  2. Re:e9af4cb49c97162d6be3ea8c6ca90a46 by Anonymous Coward · · Score: 5, Interesting

    Your email is: tyler.szabo _AT_ gmail.com

    md5 -s "tyler.szabo@gmail.com"
    MD5 ("tyler.szabo@gmail.com") = e9af4cb49c97162d6be3ea8c6ca90a46

    For bonus points, your name is Tyler Szabo, you go to University of Waterloo and plan on graduating in 2011. You work at Amazon. You are in a relationship with a Kaylan Elizabeth L. (last name withheld as a courtesy, I'm sure you know who I mean :) ).

    I found out you registered this, looked up your avatar on Gravatar, found you on Stack Overflow which gave me your real name (searched for Szabo assuming that was something to do with you). Using this, I looked you up on Facebook, Twitter, and various other sites. Your single avatar helped me link everything together. Once I had your real name from Stack Overflow it became easy.

    Good times. Perhaps this reveals another security vulnerability? One avatar links -ALL- your social networking.

    I also have your parents, previous employers, etc, but won't post those here :)