I am developing Google Alerts for the GitSpo service. I did not understand what exactly it is, but the service is developing rapidly and people like it. A big part of GitSpo is collecting data from various social networks: Twitter, LinkedIn and Stack Overflow. I noticed one thing: Stack Overflow uses the Gravatar service for avatars in user profiles.Gravatar is a service that associates an image (in our case, an avatar) with your E-mail address. This image can be used by other sites (in our case, Stack Overflow) to display an avatar for people visiting the site.User avatar is found by hashing his email address. For example, my e-mail address is gajus@gajus.com . Anyone who has my e-mail can generate a link to a picture with my avatar. For example, https://www.gravatar.com/avatar/74a5bd659b3a8af09a336a932eebe3b1We get:
Gravatar was launched in 2007 and has grown rapidly in part because it is used as the default service for avatars that are used on WordPress sites. Great idea - upload an avatar once and it will be automatically installed on all sites. Just update the avatar on Gravatar and the picture of your avatar will change immediately on all sites. But unfortunately, the encryption algorithm they chose turned out to be completely unsafe.
The link to the picture is generated by MD5 hashing of your E-Mail address, before that it is transferred to lowercase and the spaces removed.md5('gajus@gajus.com') === '74a5bd659b3a8af09a336a932eebe3b1'
Using MD5 to hash personal information was a poor choice even at that time. Today, the MD5 cipher database comprises over 90 trillion hashes. Moreover, half of the e-mail addresses contain a limited range of characters ( /^►az@\-.†+$/ ) and it is easy enough to predict their endings, for example, such a popular domain@ gmail.com
.I decided to conduct an experiment and took 1000 hashes of Stack Overflow profiles and used one of the services for decryption. The result was 721 E-Mail addresses, i.e. 72% success.However, it is interesting to use this case not only for receiving e-mail addresses. Many developers ’email addresses are already publicly available, as GitHub’s email addresses can be obtained from their profiles, commits, files and licenses, or even directly in the code comments. GitSpo has data on all publicly available GitHub profiles and repositories, so I was able to hash the addresses and compare them with Stack Overflow hashes. And I found 1000 of them.It should be noted that not only Stack Overflow uses Gravatar, it is also used by WordPress, HootSuit, TechDirt, Disqus and not only. Stack Overflow stood out among the rest, because this is a resource on which the main audience is developers and I was surprised that such a thing went through the gap.In fact, today Stack Overflow can not do much - quite a lot of sites on the Internet, which are a copy of Stack Overflow. However, it would be great to opt out of using Gravatar for first time users registering.