Skip to content

Gravatar – Information about the process and the data I leak

26. Jun 2012

Yesterday, my assumption was right and wrong and complex.

You can see here what happens with your e-mail address.

– You enter the e-mail address for the purpose of leaving a comment
– Your e-mail address gets turned to lower-case
– Your e-mail address gets turned into a MD5 hash
(like “ab75e1706b233aea17c93732068b49c7”)
– Then it loads […]$MD5hash,
which should contain the avatar for that e-mail address
– When there’s no avatar it returns an avatar based on the settings of the requesting service.
For example “d=wavatar” generates a “wavatar” from the data.

When the settings is “show a blank logo”,
the e-mail address still gets turned into an MD5 hash.

Now to what I leak:

The link to the avatar, even with “blank logo” is always
where “$MD5hash” is the MD5hash from the e-mail address
while “xx” is the size
while “return_if_empty” is what gravatar should do if there’s no custom avatar
while “maximum_rating” is the rating in terms of child safety
so for example:

Ratings I can choose; they don’t change the process:

G – Suitable for all audiences
PG – Possibly offensive, usually for audiences 13 and above
R – Intended for adult audiences above 17
X – Even more mature than above

When you have a gravatar account there’s nothing to worry about, because you gave them your e-mail address and you expect to be recognized.

When I display avatars I always leak the MD5 hash of your e-mail address. While one can’t turn the MD5 hash back into the e-mail address I believe that with much effort one can compute MD5 hashes of so many generated e-mail addresses that he could be able to retrieve some.

My previous concern was that it would be possible to compare generated avatars, but that’s not necessary because all you need is the MD5 hash. So from a privacy and anonymity stand-point it’s much worser. I also was wrong that static avatars would be safer, while they are on the same level.

For privacy and anonymity reasons I could disable showing avatars, which would disable that leak. At the current state I’m NOT doing that. There are multiple reasons for that.

You have the choice, because I allow you to comment without entering an e-mail address. (At least for now) You can create an e-mail address for commenting purpose. Not showing avatars applies to users with gravatar accounts. I consider an avatar to be something that enables one to re-recognize commentators (for others and me).

I see that it potentially hurts privacy and anonymity, but don’t know how easy it is to find a commentator based on the hash. I could not find something problematic. However I’m willing to disable the display of avatars, when one shows that I should be concerned.

Gravatar stands for “Globally recognized Avatar” and it’s open. I’m not defending the use of MD5 for that purpose, but it’s better than working with an e-mail address that hasn’t been obfuscated. For example I can run a forum and create a MD5 hash of any e-mail address and display their gravatar avatar. When gravatar switches to SHA1 (or whatever) the service would be broken. Gravatar could switch to a new hash by using a different URL like “[…]/avatar/new_hash/$SHA1” so services could use the new link, while the MD5 hash is phased out over time.

However the hash is there all the time, because this is how the system works. I don’t know if it’s worth anything.

Comment if you dare ;)

From → General

One Comment
  1. I forgot to add: and are run by the same company. You don’t expose more to them, by this process.

    I add this as comment, because I don’t know where to put it.

Comments are closed.

%d bloggers like this: