RubyGems: Possibility to guess email address from gravatar image URL

2022-04-0908:46:42

ooooooo_q

hackerone.com

JSON

The hash used for gravatar used in rubygems.org is a simple md5, which could allow an attacker to guess the user’s email address.

https://en.gravatar.com/site/implement/hash/

https://github.com/chrislloyd/gravtastic/blob/master/lib/gravtastic.rb#L79

    def gravatar_id
      Digest::MD5.hexdigest(send(self.class.gravatar_source).to_s.downcase)
    end

In rubygems.org, there is a setting that can make the email address private, but since the url of gravatar is public, the email address can be guessed unintentionally.

PoC

Start server in local
Create user as [email protected]
Confirm email address is private
{F1685876}

Open the profile of the user created in the secret window and get the url of gravatar

<div>
   <img width="300" height="300" src="http://gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0.png?d=retro&r=PG&s=300" />
</div>

Confirm that the generated hash matches the hash in the url.

require 'digest/md5'

mail = '[email protected]'
puts Digest::MD5.hexdigest(mail)

 ❯ ruby test.rb
 55502f40dc8b7c769880b10874abc9d0

Impact

The email address of a user who has set the email address as private may be obtained.

There was a similar discussion about wordpress.
https://www.wordfence.com/blog/2016/12/gravatar-advisory-protect-email-address-identity/

Many users seem to be affected because email addresses are now private by default.
https://github.com/rubygems/rubygems.org/pull/2663/files
Avoiding gravatar has too much of an impact, so I suggest that give the user the option to use gravatar (use gravatar by default).

JSON