Gravatar: How to decrypt email addresses of all users?
About Gravatar, many have heard, and some people use it. If you have not heard, then Gravatar is a globally recognized avatar - an image that is attached to your email address and which you can use on other sites when commenting, filling out a profile, etc.
The Gravatar service turned out to be quite popular and demanded by the public and over the years turned into its own mini-social network with millions of audiences. However, how many things there are Engravers (that is, users who tied an avatar to their e-mail address) I could not find the information. Only on the official website, the creators of the service proudly declare that "Millions of avatars are shown more than 8.6 billion times a day."
The popularity of Gravatar is supported by the fact that it is supported by many popular engines, such as Redmine, W-script and, of course, WordPress. There are plug-ins and modifications that allow you to integrate support for globally recognizable avatars into systems such as Drupal, Joomla, MODX, SMF and phpBB.
')
Gravatar works according to the following scheme: a user registers in the Gravatar service and saves his avatar and e-mail address there. From now on he has his own Gravatar. Now, when he wants to leave a comment on a website or blog, he only provides his email address. The site's script encrypts this email address and sends it to the Gravatar server, from which the avatar image returns.
If we open the original page with a picture of Gravatar, we will see something like the following avatar address:
The 32-digit hexadecimal number in this address is the MD5 hash of the email address itself and, in fact, it is the only key that identifies the user in the Gravatar system.
The MD5 hashing algorithm used by the Gravatar service is primarily intended to hide the user's email address (do not transmit it in the clear). Its peculiarity is “one-pointedness”, that is, with the function MD5 we can get (encrypt) the hash (imprint) of a word, but we cannot get it (decrypt) back. That is, to disassemble what exactly we encrypted into the hash "05933ec7a23f6ebd2017490abfbcd3f3" is impossible by any mathematical function.
However, there are MD5 “decryption” methods, such as dictionary override, rainbow tables, etc. In this case, the question arises the safety of the email address of the user Gravatar. However, the user himself can make his e-mail address public, and he is also known to the administrator of the site on which he leaves a comment. But back to the effective use of the vulnerable hashing algorithm (MD5) by the Gravatar service.
How secure is it and how realistic is it to decrypt ... all gravatary ?
To answer this question, I decided not to “crack” MD5-hashes (which seemed to be time-consuming), but to check the presence of an e-mail address for the presence in the Gravatar database. The principle is very simple: we check the email address for the presence of a gravatar, if there is a gravatar, we enter an MD5 hash in the database.
Trial and error method for such purposes was chosen optimal query to the Gravatar service at the address with the parameter:
When contacting such an address, the Gravatar service will return a response of 200 if the user has a gravatar (if there is such a user at all) and the answer is 404 - if the user is not in the Gravatar database. In this case, we write a script to check the server response:
So, we have learned to check the availability of a gravatar with an email address. As a raw material, I downloaded the first available email addresses from the Internet (regular spam databases, as well as email addresses that were in search output in clear text) in quantities of over 10,000,000 (cleaned from duplicates, checked for validity, etc. ). I put a regular local server (Denver) on a regular computer, the above script made multi-threaded (I achieved a scan speed of about 2 million addresses per day). Surprisingly, in spite of the monstrous requests to the Gravatar service, he did not block the work of the script and regularly gave the data throughout the experiment.
During the week, all 10 million addresses were checked, and the result of the work was recorded in a database with the following structure:
Gravatar user login is required to get a link to the user profile in the service, where you can learn additional information about the user. This URL has the structure:
You can get a login when accessing the import file of the form:
Let's write a script that will find the variable we need, called - preferredUsername
The variables were received ( $ email, $ hash and $ login ) and entered into the database for further search in it. And it's all? Essentially, yes. Brevity is the soul of wit. We attach the search to the database and, voila: the service is ready . Now, when you enter an MD5 hash in the search box, which can be taken on any website where the user left a comment, we can get his email address. For convenience, I implemented the Drag & Drop technology (drag and drop) - just drag a picture of a gravatar from any site into the search box and click “find”.
Explanations : the experiment and the service was not created for any malicious purposes (for spam, etc.). Also, no one can be responsible for the integrity of the Gravatar user's email address - the user is aware that he is visible to the administrator of the site where the comment is posted. Taking care of the safety of my personal data, I limited the search results, closed the data from entering the search index, etc. The service, resulting from an impromptu experiment, was made for people for reference and contact purposes. And also, as information for reflection, for holders of the Gravatar service.
Results : a regular computer for a week went through / checked 10 million email addresses (taken from open sources). Only 3% (about 300,000 recognized MD5 hashes) of them had their own Gravatar (not a lot). But theoretically, all the email addresses of all Internet users can be collected into a single database for subsequent verification by the described method. And also, theoretically, all the MD5 hashes of the Gravatar service can be calculated. All this is much more than 10%, which can be obtained by searching MD5 hashes . The encryption algorithm for email addresses in Gravatar is vulnerable, using the service, it is necessary to take this into account.
The Gravatar service turned out to be quite popular and demanded by the public and over the years turned into its own mini-social network with millions of audiences. However, how many things there are Engravers (that is, users who tied an avatar to their e-mail address) I could not find the information. Only on the official website, the creators of the service proudly declare that "Millions of avatars are shown more than 8.6 billion times a day."
The popularity of Gravatar is supported by the fact that it is supported by many popular engines, such as Redmine, W-script and, of course, WordPress. There are plug-ins and modifications that allow you to integrate support for globally recognizable avatars into systems such as Drupal, Joomla, MODX, SMF and phpBB.
')
Gravatar works according to the following scheme: a user registers in the Gravatar service and saves his avatar and e-mail address there. From now on he has his own Gravatar. Now, when he wants to leave a comment on a website or blog, he only provides his email address. The site's script encrypts this email address and sends it to the Gravatar server, from which the avatar image returns.
If we open the original page with a picture of Gravatar, we will see something like the following avatar address:
The 32-digit hexadecimal number in this address is the MD5 hash of the email address itself and, in fact, it is the only key that identifies the user in the Gravatar system.
The MD5 hashing algorithm used by the Gravatar service is primarily intended to hide the user's email address (do not transmit it in the clear). Its peculiarity is “one-pointedness”, that is, with the function MD5 we can get (encrypt) the hash (imprint) of a word, but we cannot get it (decrypt) back. That is, to disassemble what exactly we encrypted into the hash "05933ec7a23f6ebd2017490abfbcd3f3" is impossible by any mathematical function.
However, there are MD5 “decryption” methods, such as dictionary override, rainbow tables, etc. In this case, the question arises the safety of the email address of the user Gravatar. However, the user himself can make his e-mail address public, and he is also known to the administrator of the site on which he leaves a comment. But back to the effective use of the vulnerable hashing algorithm (MD5) by the Gravatar service.
How secure is it and how realistic is it to decrypt ... all gravatary ?
To answer this question, I decided not to “crack” MD5-hashes (which seemed to be time-consuming), but to check the presence of an e-mail address for the presence in the Gravatar database. The principle is very simple: we check the email address for the presence of a gravatar, if there is a gravatar, we enter an MD5 hash in the database.
Trial and error method for such purposes was chosen optimal query to the Gravatar service at the address with the parameter:
www.gravatar.com/avatar/HASH?d=404
When contacting such an address, the Gravatar service will return a response of 200 if the user has a gravatar (if there is such a user at all) and the answer is 404 - if the user is not in the Gravatar database. In this case, we write a script to check the server response:
$email = "@."; $hash = md5(strtolower(trim($email))); $url = 'http://www.gravatar.com/avatar/'.$hash.'?d=404'; $check_url = get_headers($url); if (strpos($check_url[0],'200')){ // 200 - , MD5- } So, we have learned to check the availability of a gravatar with an email address. As a raw material, I downloaded the first available email addresses from the Internet (regular spam databases, as well as email addresses that were in search output in clear text) in quantities of over 10,000,000 (cleaned from duplicates, checked for validity, etc. ). I put a regular local server (Denver) on a regular computer, the above script made multi-threaded (I achieved a scan speed of about 2 million addresses per day). Surprisingly, in spite of the monstrous requests to the Gravatar service, he did not block the work of the script and regularly gave the data throughout the experiment.
During the week, all 10 million addresses were checked, and the result of the work was recorded in a database with the following structure:
- e-mail address
- Md5 hash of this email address
- username Gravatar
Gravatar user login is required to get a link to the user profile in the service, where you can learn additional information about the user. This URL has the structure:
www.gravatar.com/LOGIN
You can get a login when accessing the import file of the form:
www.gravatar.com/HASH.php
Let's write a script that will find the variable we need, called - preferredUsername
$email = "@."; $hash = md5(strtolower(trim($email))); $str = file_get_contents('http://www.gravatar.com/'.$hash.'.php'); $profile = unserialize($str); if (is_array( $profile) && isset( $profile['entry'] )) $login = $profile['entry'][0]['preferredUsername']; The variables were received ( $ email, $ hash and $ login ) and entered into the database for further search in it. And it's all? Essentially, yes. Brevity is the soul of wit. We attach the search to the database and, voila: the service is ready . Now, when you enter an MD5 hash in the search box, which can be taken on any website where the user left a comment, we can get his email address. For convenience, I implemented the Drag & Drop technology (drag and drop) - just drag a picture of a gravatar from any site into the search box and click “find”.
Explanations : the experiment and the service was not created for any malicious purposes (for spam, etc.). Also, no one can be responsible for the integrity of the Gravatar user's email address - the user is aware that he is visible to the administrator of the site where the comment is posted. Taking care of the safety of my personal data, I limited the search results, closed the data from entering the search index, etc. The service, resulting from an impromptu experiment, was made for people for reference and contact purposes. And also, as information for reflection, for holders of the Gravatar service.
Results : a regular computer for a week went through / checked 10 million email addresses (taken from open sources). Only 3% (about 300,000 recognized MD5 hashes) of them had their own Gravatar (not a lot). But theoretically, all the email addresses of all Internet users can be collected into a single database for subsequent verification by the described method. And also, theoretically, all the MD5 hashes of the Gravatar service can be calculated. All this is much more than 10%, which can be obtained by searching MD5 hashes . The encryption algorithm for email addresses in Gravatar is vulnerable, using the service, it is necessary to take this into account.
Source: https://habr.com/ru/post/253941/
All Articles