Gravatar security risk.

I'm sorry but I feel this issue needs it's own thread.
Initially I was very miffed that my old avatar had been casually thrown away and replaced by an image of a grinning idiot.
Then I baulked at the idea that gravatar can track people all over the net. I was however willing to ignore that.
I did block gravatar at this end, not for security but just to get  rid of all those ugly auto generated images on the page.
Now I  find stories like this:
In 2013, folks reversed the MD5 hashes of email addresses in a data dump to recover 45% of email addresses at a large forum, by exploiting this weakness in Gravatar (the ability to reverse MD5 hashes of email addresses). This is more evidence that email addresses can be recovered despite the use of the hash.

Now, this may pose a small risk, and things may have been tightened up since then. But really why expose yourself needlessly. And especially sinc ethe results are so ugly on the page anyway.

Comments

  • 17 Comments sorted by Date Added Votes
  • That implies that Gravatar is being handed email addresses in the first place! Has Parallax handed over all our email addresses?
    $50,000 buys you a discrediting of a journalist
  • Heater.Heater. Posts: 19,257
    edited July 2015 Vote Up0Vote Down
    evanh,
    No. It  does not rely on Gravatar ever having actual email addresses. Only a hash of them. Which we like to think  cannot be reversed to get the email address back again.
    The stories linked too in my opening post suggest however that under some circumstances it is possible to do that. And people have done it.
    Conclusion: Gravatar should be immediately removed from this forum as a potential security risk. Especially as  it has it serves no useful purpose and is detrimental to the appearance an load time of the site.
  • when the user posts a comment on such a blog that requires an email address, the blogging software checks whether that email address has an associated avatar at Gravatar. If so, the Gravatar is shown along with the comment.
    https://en.wikipedia.org/wiki/Gravatar
  • Heater,
    How did you block Gravatar at your end?


    P.S. I have to laugh every time I see your avatar... knowing how red-faced you are over it. Almost befitting this forums disaster.


    Sapphire
  • Sapphire,
    I just put this in my /etc/hosts file:
    # To confuse gravatar spyware 127.0.0.1       www.gravatar.com
    # To stop facebook on parallax.com127.0.0.1       connect.facebook.net
    Seems you  can do similar in Windows: http://www.howtogeek.com/howto/27350/beginner-geek-how-to-edit-your-hosts-file/
    Glad you get a chuckle from my grinning idiot avatar. It's staying there to be a constant reminder of how dumb gravatar is. At least for a while.
  • SapphireSapphire Posts: 468
    edited July 2015 Vote Up0Vote Down
    Thanks, done!
    But now you're just an X 
    :depressed: 
    Sapphire
  • Saphire,
    I might like the X better.
    Different browsers display different things when the can get the image loaded. 
  • Maybe you should use this:
    f569530fbb8eea20245d2385744bc4.png
    314 x 284 - 2K
    Sapphire
  • The ghostery plugin for FireFox makes blocking any third party items a snap. It's amazing how many sites load faster when you stop third party junk.
    Andrew Williams
    WBA Consulting
  • jmgjmg Posts: 10,208
    The ghostery plugin for FireFox makes blocking any third party items a snap. It's amazing how many sites load faster when you stop third party junk.


    This fundamental negative speed impact, is why I cannot fathom why include this fluff in the first place ?
    A cynic would have to say money, or private information, is changing hands, else why do it ?
  • Seems you  can do similar in Windows: http://www.howtogeek.com/howto/27350/beginner-geek-how-to-edit-your-hosts-file/

    I don't bother with editing the hosts file manually. Mine is over 900KB, I use a program call HostsMan to keep it updated. Between the hosts file, Ghostery and NoScript over 99% of advertising and other garbage just never shows up. (I'm just guessing at the 99% part, but it's very rare that I see see any advertising at all.)
    - Rick
  • As well as Ghostery and NoScript, I also happen to use RequestPolicy. This one, like NoScript, is a block by default mechanism. It means I have to opt-in to all third-party http references. NoScript only covers Scripting references. I can make those choices permanent.

    News sites can look very barren initially. Sometimes even the formatting is missing, it's just a wall of text in default font, until I let one or two references through.

    As for Gravatar, I've never had any interest in enabling that so it's still blocked everywhere I go.
    $50,000 buys you a discrediting of a journalist
  • Heater,
    So, Gravatar now have an effectively reversible hash of every Parallax forum user then?
    $50,000 buys you a discrediting of a journalist
  • There is certainly a hash of your password floating around the net now.
    How easy it is to reverse or brute force I don't know. The stories I linked to indicate in can be done though.
    Did I mention we do everything here is plain text. Where is the frikken HTTPS? That means that all those hashes are now in the hands of people with enough horse power to brute force it.  
  • Sapphire,
    What a brilliant suggestion. I might take you up on that. 
    That's a 6L6 heater pinout. I would have gone for the 807's pins 1 an  5.



  • Or a 50C6 Beam Power Amplifier. I thought you'd like the power output stage better. :innocent:
    Sapphire
  • Oh yeah, the 100 odd watts of a pair of push-pull 807's is enough for me!
    What with being good to 60MHz they make a mean RF transmitter. 
Sign In or Register to comment.