Skip to content

Research problem: Information disclosure with generated avatars?

25. Jun 2012

WordPress.com allows me to pick default avatars for users that don’t have one.

For users without a custom avatar of their own, you can either display a generic logo or a generated one based on their e-mail address.

I picked “Wavatar” since I did not want to use “Identicon”, because of their style. I’d be fine with any other of them.

The question is: How much do I give away with generated avatars?

Considered the choices I have
Avatar choices
I guess

  • Mystery Man
  • Blank
  • Gravatar Logo

do not disclosure anything that is not already public.

The rest is generated from the e-mail address, which makes me wonder if the rest tells anything about the e-mail address. I currently believe that all of the generated choices work in the same way and are interchangeable. I further assume that the same e-mail address will give the same avatar even when other services use it. With other words it’s independent from the source of the email.

Given that I’m right it’s dead easy to link users by their e-mail address when the same generated avatar is present. For example both use “Wavatar” so all you have to do is to compare the generated avatars. Even when both use different default avatar choices it’s easy to generate the desired avatar type or all of them, even without knowing the e-mail address.

I think both services know your e-mail address already, but any reader or third-party may learn something about you.

Is my assumption correct? Do I disclosure any information? And then the question is how unique are the generated avatars? Does something give information away by using generated avatars, beside the avatars themselves?

Update 2012-06-25 19:39 UTC/GMT: Gravatar creates a string like “ab75e1706b233aea17c93732068b49c7”. This is enough to identify a user. When anonymous comments are allowed the string (ID) is not generated unless an e-mail address is entered. When the e-mail is reused (which could happen often) the avatar does not matter, the string can be used. At the current state I believe that Gravatar does create this string when an e-mail address is entered and returns the avatar the user picked when this e-mail address is known, when the string does not exist, it generates one based on the settings of the blog. I assume that the string is created even when “Mystery Man”, “Blank” or “Gravatar Logo” is chosen. That could be the case, because when the user decides to have an own avatar on Gravatar (for that e-mail address) it won’t get displayed for previously comments or “likes”.

The above string was created by myself and doesn’t hurt anybody.

I check that and look on gravatar.com for more information. I may contact them, when I still have questions.

Update 2012-06-25 19:45 UTC/GMT: Gravatar uses MD5 to create the string above from the given email address. See this page.

Advertisements

From → General, Research

4 Comments
  1. Does somebody know answers?

  2. Fascinating question – I had never even considered the possibility that it was giving any info away.

    • I should have looked into it, before I wrote about it. The creation of the avatars should not be any worse than using the static ones.

Comments are closed.

%d bloggers like this: