node-gravatar icon indicating copy to clipboard operation
node-gravatar copied to clipboard
verified publisher icon emerleite

Add warning or deprecate library

Open intellix opened this issue 2 years ago • 4 comments

Since gravatar is a very simple system where the hashes represent an email that has gone through an MD5 hashing function, it's very easy to decrypt a gravatar and get back the original email that created the hash.

Graphics cards in 2008 were able to encrypt 160mil hashes a second and it's not difficult to run through the alphabet to create a list of all hashes to emails. Alongside that, Gravatar had a leak in 2021 that exposed 167 million profiles and you can use free online tools for converting hashes to emails.

This means that any application that uses gravatar images are basically exposing the emails of those users as well just by using it.

I think this repository should be deprecated and a warning added when installing via NPM to warn people to not use gravatar.

intellix avatar Oct 23 '23 12:10 intellix

Yep this is a major security risk

marcjlyoung avatar Oct 23 '23 12:10 marcjlyoung

Looked around and this looks like a great alternative as it allows you to pass in any seed you wish (a simple numeric userId for example): https://www.dicebear.com/playground/ and pick from various styles. But the point is you aren't using an MD5 of an email

intellix avatar Oct 23 '23 18:10 intellix