Email disclosure attack on Gravitar

It turns out that the ‘Gravitar’ avatar-generating mechanism, as used here and a variety of other sites, discloses the MD5 hash of the user’s email. Not enough to be useful against a totally naive attacker; but within the realm of brute-forceable if combined with some additional information (email suffix, that sort of thing) to guide the attack.

You can easily work around this by adding routing eg:

We covered this issue here:

I originally raised this here in 2009:

Our plan is to allow users to upload avatars and opt out of gravatar. It is next up on @zogstrip’s list.

naïve question: this applies to the randomly generated gravatar like mine, or the one you sign up for and create like yours, or both of them? no I did not RTF link, but will if this applies to me.

It would apply to both, at least until we implement local avatars.

hey, I’m green now! i suppose I wasn’t very threatened by the nature of that security threat (and I’m a bit too dumb to follow the explanation fully) but hey: “just because I’m paranoid doesn’t mean they aren’t out to get me.”

I’ve had my discourse-specific avatar designed and ready to go since y’all first mentioned it was to be implemented, soooo … y’know, any day now …

FYI we now support local avatars


And there was much rejoicing.

This topic was automatically closed after 1297 days. New replies are no longer allowed.