Email disclosure attack on Gravitar


It turns out that the ‘Gravitar’ avatar-generating mechanism, as used here and a variety of other sites, discloses the MD5 hash of the user’s email. Not enough to be useful against a totally naive attacker; but within the realm of brute-forceable if combined with some additional information (email suffix, that sort of thing) to guide the attack.


You can easily work around this by adding routing eg:

We covered this issue here:

I originally raised this here in 2009:

Our plan is to allow users to upload avatars and opt out of gravatar. It is next up on @zogstrip’s list.


naïve question: this applies to the randomly generated gravatar like mine, or the one you sign up for and create like yours, or both of them? no I did not RTF link, but will if this applies to me.


It would apply to both, at least until we implement local avatars.


hey, I’m green now! i suppose I wasn’t very threatened by the nature of that security threat (and I’m a bit too dumb to follow the explanation fully) but hey: “just because I’m paranoid doesn’t mean they aren’t out to get me.”

I’ve had my discourse-specific avatar designed and ready to go since y’all first mentioned it was to be implemented, soooo … y’know, any day now …


FYI we now support local avatars


And there was much rejoicing.


This topic was automatically closed after 1297 days. New replies are no longer allowed.