A friend recently reminded me about a hackers’ trick − based on using Gravatar − that I’d long forgotten about. The method was last discussed on Stack Overflow a couple of years ago. Lately, people have been thinking again about this problem. And although the discussion has mostly been about how to brute force email addresses from a known Gravatar URL, there is a way to perform much more efficient and larger-scale brute force attacks with Gravatar.
This issue stems from four main factors:
- Gravatar uses the MD5 hash of a user’s email address to display the Gravatar image
- Gravatar allows website authors to display no image at all if they’d rather not
- Because of a minor issue in the browser’s origin policy, there is a way for an attacker to calculate an image size remotely
- Companies, and people, often use email addresses closely related to their actual name
So imagine this: In the simplest − and mostly impractical − example, an attacker gets people to visit a site, and then enters their first and last name, a well as their company’s name (let’s say “Safeway”). A malicious website then programmatically adds “.com” to the end of the string. Assuming, at least in most cases, that the “.com” successfully produces the correct domain name (in this case, “Safeway.com”), the browser then concatenates the first name, last name, and domain name in various ways. The browser also tries Gmail, Outlook, Hotmail, and AOL, as these are the most common webmail providers.
And if the attacker can have a random browser on the Internet do this recon on his behalf, this brute-force attack is performed without sending a single request to Gravatar. This technique also works successfully without requiring a massive spam campaign to identify valid user accounts.
I’ve created an embeddable example here which demonstrates this enumeration.
Once discovered, this is not an easy problem to fix, because so many people and sites use Gravatar, and it would require a forklift upgrade of their code to use something more secure than a simple MD5 hash. Therefore, it is probable that this issue will continue to exist for a long time – certainly as long as Gravatar exists and provides the features it currently offers. The result is the possibility of large-scale, spear-phishing campaigns against large corporations. Therefore, WhiteHat’s Threat Research Center recommends that corporate Internet users limit their employees from using Gravatar tied to their corporate email addresses when conducting company-specific business.