Gravatars: why publishing your email's hash is not a good idea

By abell on 2009-12-08-23:35:49 | In gravatar stackoverflow information leak md5

The guys at gravatar.com offer a nice service: for website owners, they let you automatically associate an avatar to your users, through the user's email address. The users who register to gravatars.com are able to change their gravatar and the change will be visible on all gravatar-enabled websites where they registered with the same email.

The association email -> avatar is done through a MD5 hash function. If you register to a website with username@mailprovider.com, the website will compute the hash of your email address (in this case 476c8a979eed603fb855dca149c7af6b) and associate the avatar url

http://www.gravatar.com/avatar/476c8a979eed603fb855dca149c7af6b?d=identicon
to your profile. All other websites using gravatars will associate the same url to your profile, because the computation of
md5sum ( username@mailprovider.com )
will always yield the same result.

... (read the full story)