Is Gravatar indeed a privacy leak?

(Karl M. Bunday) #1

I just saw the claim over on Hacker News

that “most implementations of avatars that use gravatar are a privacy leak, associating the MD5 of the user’s email with every post on the net anywhere.” What’s the level of concern appropriate for this characteristic of Gravatar? I could see having my online comments linked to my verifiable identity as a feature, but I have read that I really shouldn’t let just anyone know my full email address. What’s the trade-off here?

Avatar Subsystem redesign
Defaulting to CDN for avatars is a privacy and security risk
(Jeremy Banks) #2

Here’s a related discussion on Meta Stack Overflow, started in 2009 by none other than Discourse co-founder Sam “Waffles” Saffron.

No inline preview of Stack Exchange posts yet? Too bad. It’s entitled “Is using Gravatar a security risk?”.

(Adam Davis) #3

Yes, it’s a privacy leak. A tiny one, but it does exist, and can be exploited.

If this concerns you, salt your email with random stuff. For instance google mail allows you to add a plus and anything after to your email and before the @.

So if your email is then emails to goes to your inbox. So does, etc.

This allows you to slightly change your email address for every gravitar site you use, defeating the tiny privacy hole that exists in gravitar usage.

(Sam Saffron) #4

Indeed, keep in mind that custom avatars, self hosted avatars coupled with the ability to disable gravatars altogether in site settings it totally on the roadmap.

I find that for the security concious bla+{somemd5hash} is plenty secure and essentially uncrackable.

I don't like having to use Gravatar
(Ray Harris) #5

Just searched for a Gravatar thread for my first post. Loving the system.

I want to voice my concern related to privacy as well. The requirement of one avatar per email address violates the users’ rights to the convenience of a versatile personal email account. For example, I could be a Night Elf Mohawk on one forum and a professional actor on another, but not want to mix the two online identities.

(Andy Arminio) #6

Wouldn’t that be fixable using the salted email discussed above?

Since gravatar takes a hash of the entire email, you could register both and on gravatar and keep the same address but have different avatars attached to them.

(Ray Harris) #7

Ah, I understand now. I did notice Gravatar allows management of multiple email addresses, so it’s really more of a useful feature than an intrusion. This is a much more approachable issue than I had at first imagined. The user will just need to transition into the new decade of online forums along with the technology. Is this Gmail feature common with other providers?

(Andy Arminio) #8

To be fair, the ability to to add a +something to your email and use it as a different avatar isn’t remotely obvious. Unfortunately the the best place to put that information is on, so we’d have to complain there.

As far as the ‘+’ feature goes, I know it’s not exclusive to gmail, but I’m also sure it’s not everywhere, I can’t really say more than that. I do know that there are a number of places online that don’t accept ‘+’ in email addresses, even though it’s a legal character.

(Jeff Atwood) #9

Remember like @sam already mentioned, we do have plans to offer local avatars as well.

But in the meantime take advantage of email plus addressing, if you use GMail, it’s very flexible and handy in many circumstances, not just here.

Append a plus ("+") sign and any combination of words or numbers after your email address. For example, if your name was, you could send mail to or

(Benjol) #10

And oneboxing for SE?

(Thomas F. Burdick) #11

It was a standard part of Unix email processing, so it’s reasonably widespread. also allows it, for example, so I assume hotmail does as well (being the same on the back end). Outlook servers do not, or at least the one I have access to does not.

(Felix) #12

In case anyone is using postfix, there is a configuration option available:

recipient_delimiter = +

(jcolebrand) #13

Totally different FR you SE fool! :stuck_out_tongue:

(Stephen Paul Weber) #14

This is mostly a fear from the 90s, when good SPAM filters were hard to find. These days, the botnets usually know your email address anyway. It’s never been a problem for me.

(Jeff Atwood) #15

You may be interested in this:

(Sebastienstettler) #16

you don’t even have to have visible just [gravatar access point]{md5has}

(Sam Saffron) #17

People argue that you can brute force the hash to find the email.

(pessimism) #18

Generally speaking, it is also a bad idea to use the same avatar across different services, because people can do an image-based search for your avatar in some cases.

Although it is unlikely to lead to your personal information, using the same display name can also compromise privacy.

In general, try to switch it up from site to site, using a +filter in your e-mail as suggested earlier.

(RolandS) #19

Thanks man, that solves multiple problems for me (not just this issue!)

(Sebastienstettler) #20

ye, i see how that is a valid point. i do suggest keeping the option to switch from gravatars to uploaded avatars.personally i don’t mind the fact that people can brute force my hash.

according to gravatar

Millions of avatar images are being served over 8.6 billion times per day

so we have all been compromised already :confused: