The Powder Toy

Profile picture can leak mail

  • yschenko     12th Oct 2015 Member 1 Permalink
    Hello! I have monitor IRC log and I hear that gravatar can leak email! This mean anyone can get your mail just from profile picture in tpt! Privacy is very important so I think it would be good idea to let you know!

    Here is exemple:

    [REDACTED]

    I hope powder administrators will fix this issue very quickly!

    Greetings.


    PS: Simon pls if u dont want to have interest in TPT atlest give some moderator server power (like jacob1, he is bad irc moderator but would be good server operator) so they can fix issue with server when u are not here.
    Edited 4 times by jacob1, yschenko. Last: 12th Oct 2015
  • jacob1     12th Oct 2015 Developer 3 Permalink
    @yschenko (View Post)
    Please don't post data, we already told you not to scrape the website for data and you were IP banned, but apparently that wasn't enough.


    Anyway just to clarify, by using gravatar, the md5 of your email is used to get your gravatar. This isn't very good and I don't know why gravatar does this. To fix it, either:
    a) upload an avatar manually at this page: https://powdertoy.co.uk/Profile/Avatar.html
    b) Don't use an email which is "yourtptusername@gmail.com" or something easily guessable. The only way to get the md5 from the email is to guess a bunch of md5s and then check if the match the ones from TPT.

    More information on gravatar: http://www.developer.it/post/gravatars-why-publishing-your-email-s-hash-is-not-a-good-idea
    And yes, even if you don't have a gravatar, your md5 hash is still shown.
    Edited once by jacob1. Last: 12th Oct 2015
You need to login before you can post replies