Technical Insight

Gravatar Email Enumeration in JavaScript

A friend recently reminded me about a hackers’ trick − based on using Gravatar − that I’d long forgotten about. The method was last discussed  on Stack Overflow a couple of years ago. Lately, people have been thinking again about this problem. And although the discussion has mostly been about how to brute force email addresses from a known Gravatar URL, there is a way to perform much more efficient and larger-scale brute force attacks with Gravatar.

The problem

This issue stems from four main factors:

  1. Gravatar uses the MD5 hash of a user’s email address to display the Gravatar image
  2. Gravatar allows website authors to display no image at all if they’d rather not
  3. Because of a minor issue in the browser’s origin policy, there is a way for an attacker to calculate an image size remotely
  4. Companies, and people, often use email addresses closely related to their actual name

The attack

By combining these four factors, I created a small script to demonstrate that an attacker can embed in their webpage. By supplying the first name, the last name (and, optionally, a middle initial), and the domain name, you can write a small piece of JavaScript that performs the cracking in the user’s own browser.

So imagine this: In the simplest − and mostly impractical − example, an attacker gets people to visit a site, and then enters their first and last name, a well as their company’s name (let’s say “Safeway”). A malicious website then programmatically adds “.com” to the end of the string. Assuming, at least in most cases, that the “.com” successfully produces the correct domain name (in this case, “Safeway.com”), the browser then concatenates the first name, last name, and domain name in various ways. The browser also tries Gmail, Outlook, Hotmail, and AOL, as these are the most common webmail providers.

Once a user’s browser visits the malicious website, the JavaScript forces the browser to pull in images from Gravatar. If an image is invalid, the size of the image in the browser will be less than one pixel in either dimension. However, if the image does exist, its size in the browser will be greater than zero, which confirms for the attacker that the email address is valid. A semi-benign example of this attack could be used during the registration process of a website, in order to speed up the collection of email addresses, and/or by providing a drop-down menu of probable email addresses.

The risks

This simple brute force method can then lead to far more efficient and practical attacks that produce massive amounts of email addresses of the target domain. For instance, let’s say an attacker gathers a dictionary containing thousands of common first names, last names, and the target domain name(s) in question (or the top Alexa 1000 domains, if this is an untargeted campaign). Instead of spamming chosen email addresses arbitrarily, an attacker can run the same JavaScript he’s already written (either on his own or by someone else on his behalf) to collect massive numbers of valid email addresses.

And if the attacker can have a random browser on the Internet do this recon on his behalf, this brute-force attack is performed without sending a single request to Gravatar. This technique also works successfully without requiring a massive spam campaign to identify valid user accounts.

I’ve created an embeddable example here which demonstrates this enumeration.

Once discovered, this is not an easy problem to fix, because so many people and sites use Gravatar, and it would require a forklift upgrade of their code to use something more secure than a simple MD5 hash. Therefore, it is probable that this issue will continue to exist for a long time – certainly as long as Gravatar exists and provides the features it currently offers. The result is the possibility of large-scale, spear-phishing campaigns against large corporations. Therefore, WhiteHat’s Threat Research Center recommends that corporate Internet users limit their employees from using Gravatar tied to their corporate email addresses when conducting company-specific business.