Ollie Bennett

Project Details

GetAvatar (since 2016)

Extract email from Gravatar images

getavatar.info | source code

JavaScript MD5 Web Workers

GetAvatar attempts to derive a (supposedly) anonymous email address behind a given Gravatar URL.

Gravatar uses an MD5 hash of the user’s email address to display an avatar / profile picture. If the user is registered on Gravatar, we can retrieve details from the Gravatar API and repeatedly guess combinations of names against various email provider domains to try and find a match.

I built this as a proof of concept, showcasing the potential inherent (and unfixable?) vulnerability in the Gravatar system. I’m pretty sure there’s no justifiable use case!