Unsalted hashes endanger user's privacy

Bug #1248456 reported by Štefan Baebler
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Libravatar (obsolete)

Bug Description

Exposing hashes of user's emails endangers privacy of user's email address, and possibly user's true identity. Even if user has not set up his avatar. This violates many site's privacy policies, forcing site maintainers to disable avatars completely (or make them opt-in for each individual user).


Using SHA256 is better in terms of collision avoidance, but is also vulnerable to dictionary and rainbow table attacks (albeit slightly more expensive).

Salting the hash would solve the problem, but would require salt to remain a shared secret between avatar provider and web application showing the avatars. This means each web application should register with each avatar provider and keep a shared secret salt and use it when showing images.

Not sure yet how this can work with federated providers though.

Revision history for this message
Štefan Baebler (stefanba) wrote :

Salting the hash per web application would allow user to see which individual applications are using his avatar photos, and possibly give him control over which of his avatar photo he wants to show in which web application, while still using the same email address in all web applications.

Changed in libravatar:
status: New → Triaged
tags: added: privacy
Revision history for this message
strk (strk) wrote :

This problem came out while trying to suggest Libravatar as an alternative to Gravatar for the OpenStreetMap project:


To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers