r1ch.net

Gravatar Considered Harmful

TLDR: If you run a website, please stop using gravatar as it exposes private user data and is not GDPR compliant.

Gravatar is a service designed to allow users to have a "globally recognized avatar", so that various blogs, forums, etc around the web can show a user avatar without the user having to upload it to every service they use. It works by taking a hash of the user's email address and sending that as an image request to www.gravatar.com. Unfortunately the whole system is fundamentally insecure because there is no per-site data/secret associated with each email, it uses only plain MD5 (yes, the 100-billion-hashes-per-sec-on-my-home-rig MD5) of the user's email address as a lookup key. By appending common email domains as suffixes, this reduces the attack to a simple brute force of alphanumeric characters.

Maybe this wasn't an issue when gravatar was conceived, but today with tools like hashcat it is trivial to recover the plaintext from MD5 hashes. I tried to reach out to gravatar to ask if they were planning on addressing this, but their contact / support section is closed and the latest blog post is from 2014, leading me to believe that the service is no longer maintained.

One of the more problematic things about the whole situation is that the users whose email addresses are being exposed in this way often have no say in the matter. If the website you register with uses gravatar, your email address hash will be exposed any time you make a public post. Often there is no way to tell beforehand whether this will happen other than inspecting existing posts and looking to see if their avatars are hosted on gravatar. Users are at the mercy of blog owners and website developers as to whether their personal information is secure.

As proof of concept, I grabbed the first page of gravatar results from the Common Crawl project. This resulted in just over 13k unique hashes. I ran these through hashcat on my GTX 960 (not a high end card by any means) for a few minutes and the hashes just flew by, over 1k gmail.com emails were trivial to acquire. I'm sure someone with more resources and motivation to target high profile sites that use gravatar (eg StackOverflow) could find many more. So please, if you care about user privacy (and in some cases email addresses may be considered personal data protected by law!), don't use gravatar.

Update: I reached out to StackOverflow regarding their use of gravatar as they are one of the largest networks using it. In order to mitigate this on their end, any emails that don't exist at gravatar are salted and hashed in a different way and the new hash is used at gravatar in order to generate an identicon. This is a non-standard way of using gravatar but limits the email disclosure to only those users who have actively made a gravatar account.