Investigative journalists have exploited a cryptographic weakness in a third-party website commenting service to expose politicians and other Swedish public figures who left highly offensive remarks on right-wing blogs, according to published reports.

People have been warning of the privacy risk posed by Gravatar, short for Globally Recognized Avatar, since at least 2009. That's when a blogger showed he was able to crack the cryptographic hashes the behind-the-scenes service uses to uniquely identify its users. The Gravatar hashes, which are typically embedded in any comment left on millions of sites that use the avatar service, are generated by passing a user's e-mail address through the MD5 cryptographic function. By running guessed e-mail addresses through the same algorithm and waiting for output that matches those found in comments, it's possible to identify the authors, many of whom believe they are posting anonymously.

According to a post published Wednesday by IDG News, that's precisely the hack the Swedish publication Expressen, working with an investigative journalism group, carried out to expose the public figures who participated in the right-wing forums. According to an English translation of this article: "It is the hatred of immigrants that ties [the participants] together."

Disqus, the web comment hosting provider for the forums, said in a brief blog post that it is disabling the Gravatar service and removing the MD5-hashed e-mail addresses from the Disqus platforms. It also said people who work to crack the hashes used by its service are in violation of its privacy guidelines.

Maybe. But given the amount of time Gravatar's decloaking weakness has been known, it's surprising that it's still taking some people by surprise. In addition to the 2009 blog post mentioned earlier in this post, the vulnerability was discussed in July at the PasswordsCon conference in Las Vegas. Using an upgraded modification of the attack, security researcher Dominique Bongard was able to de-anonymize participants advocating racial hatred and other extreme topics in online forums hosted in France. The country allows for severe legal penalties for voicing hate speech, so many participants often attempt to do so anonymously.

Not as hard as you think

People often think that it's hard to "brute force" crack hashes like the one Gravatar uses. In reality, it's frequently little more than a point-and-click exercise. Using the freely available Hashcat password cracking software, Bongard was able to make highly intelligent guesses that significantly reduced the time it took to deduce the plain-text e-mail addresses that generated the 32-character hashes. One part of the guess contained a small number of strings containing the names of the most popular e-mail services, such as "@gmail.com," "@yahoo.com," and "@hotmail.com." He then programmed Hashcat to append all possible eight-character strings to the left of those domain names. The technique allowed him to identify 45 percent of the e-mail addresses used to post comments he found in one of France's most well-known political forums.

The ease of cracking the hashes is largely the result of Gravatar's use of the MD5 algorithm. The lightweight function was designed from the beginning to be fast and require few computing resources. That means crackers equipped with a graphics processor can cycle through billions of guesses each second until they arrive at the right one. If Gravatar used a slower hash such as bcrypt, or possibly added a cryptographic salt to a user's e-mail address, cracking would be considerably harder. Gravatar is used by millions of websites, including Github and StackExchange. (It's also an option for Ars users, although Ars runs it through an anonymizing proxy, so it should be relatively safe, according to Ars lead developer Lee Aylward.) While most users of sites that work with Gravatar probably have no problems being identified with their account names, it would be a mistake to think they can't. Chances are, it's not hard to tie them to an e-mail address, at least on sites that don't use an anonymizing proxy.

Update: In an e-mail to Ars, Bongard said Gravatar's susceptibility to hash cracking stems more from the "the core way the service works" than the choice to use the MD5 algorithm. "That’s why they don’t fix it: because they simply can't," he wrote. Bongard also questioned some of the possible fixes I proposed above for making it harder to de-anonymize users. Using bcrypt "would be in some case an awful burden to the website owners," he explained. "Remember, THEIR servers now have to do the expensive computation. It would moreover not have helped much in a "confirmation" attack like the one presented in the article where the journalists were not brute-forcing, but only going through a short list of possible email addresses." He also questioned the use of salt. "I am not sure how that could possibly work," he said. "How would the website, like Ars for example, know the Gravatar salt for a particular email address?"

I gratefully stand corrected, Mr. Bongard.

Post updated to add details about Ars.