Email disclosure attack on Gravitar


#1

It turns out that the 'Gravitar' avatar-generating mechanism, as used here and a variety of other sites, discloses the MD5 hash of the user's email. Not enough to be useful against a totally naive attacker; but within the realm of brute-forceable if combined with some additional information (email suffix, that sort of thing) to guide the attack.


#2

You can easily work around this by adding routing eg: bla+somecrazystring@gmail.com

We covered this issue here:

I originally raised this here in 2009:

http://meta.stackoverflow.com/questions/21117/is-using-gravatar-a-security-risk


Our plan is to allow users to upload avatars and opt out of gravatar. It is next up on @zogstrip's list.


#3

naïve question: this applies to the randomly generated gravatar like mine, or the one you sign up for and create like yours, or both of them? no I did not RTF link, but will if this applies to me.


#4

It would apply to both, at least until we implement local avatars.


#5

hey, I'm green now! i suppose I wasn't very threatened by the nature of that security threat (and I'm a bit too dumb to follow the explanation fully) but hey: "just because I'm paranoid doesn't mean they aren't out to get me."

I've had my discourse-specific avatar designed and ready to go since y'all first mentioned it was to be implemented, soooo … y'know, any day now …


#6

FYI we now support local avatars


#7

And there was much rejoicing.


#8

This topic was automatically closed after 1297 days. New replies are no longer allowed.