The hash used for gravatar used in rubygems.org is a simple md5, which could allow an attacker to guess the userβs email address.
https://en.gravatar.com/site/implement/hash/
https://github.com/chrislloyd/gravtastic/blob/master/lib/gravtastic.rb#L79
def gravatar_id
Digest::MD5.hexdigest(send(self.class.gravatar_source).to_s.downcase)
end
In rubygems.org, there is a setting that can make the email address private, but since the url of gravatar is public, the email address can be guessed unintentionally.
[email protected]
<div>
<img width="300" height="300" src="http://gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0.png?d=retro&r=PG&s=300" />
</div>
require 'digest/md5'
mail = '[email protected]'
puts Digest::MD5.hexdigest(mail)
β― ruby test.rb
55502f40dc8b7c769880b10874abc9d0
The email address of a user who has set the email address as private may be obtained.
There was a similar discussion about wordpress.
https://www.wordfence.com/blog/2016/12/gravatar-advisory-protect-email-address-identity/
Many users seem to be affected because email addresses are now private by default.
https://github.com/rubygems/rubygems.org/pull/2663/files
Avoiding gravatar has too much of an impact, so I suggest that give the user the option to use gravatar (use gravatar by default).