4 easy tricks for using Gravatar in OSINT
Gravatar (Globally Recognized Avatars) is a service that allows user to upload avatar and personal information about himself once, and then use Gravatar account to quick register on various sites.
According to Builtwith (https://trends.builtwith.com/widgets/Gravatar-Profiles), Gravatar profiles are supported by more than 14 million websites worldwide (8 million live now).
Such impressive statistics, in particular, are due to the fact that Gravatar profiles are used to comment on blogs based on Wordpress, which is one of the most popular CMSs in the world.
Gravatar profiles are also used on many other popular sites. For example, it’s the default avatar on Stackoverflow, a popular developer site.
Public statistics of Gravatar number of users base vary, ranging from 150 million to more than 400 million. But in any case, this site is a very rich source of information for OSINT.
- How to find Gravatar account by email
Open any online service for MD5 encryption (for example https://www.md5online.org/md5-encrypt.html) and get MD5 hash of target email address.
Open in browser:
https://www.gravatar.com/avatar/+MD5 hash
(look at address bar in the picture above)
This may display a picture of the person or their avatar, which can be used to further collect information about the target using Reverse Image Search.
If the Gravatar logo or some other neutral image is displayed, it doesn’t mean that there is no valuable data in the account. In any case, you should check this point using the method in the next section.
2. How to get Gravatar profile information from MD5 hash of email address
Open in browser:
https://en.gravatar.com/+MD5 hash + .json
(look at address bar in the picture above)
JSON string may contain:
- profileUrl;
- username;
- links to photos (in rare cases there may be more than one);
- given name;
- family name;
- current location;
- (Something else I haven’t encountered or forgotten about)
As you can see, sometimes you can find something that comes in handy for further investigation. And the most important advantage of the two methods described above is that they can be automated.
3. How to get a link to Gravatar profiles for an emails list
Create a table in Google Sheet with fields: email, MD5, Picture, JSON. Add some emails to A1 column.
Open Extensions -> App Script and paste to code editor following code:
// Source https://stackoverflow.com/questions/7994410/hash-of-a-cell-text-in-google-spreadsheet
function MD5 (input) {
var rawHash = Utilities.computeDigest(Utilities.DigestAlgorithm.MD5, input);
var txtHash = '';
for (i = 0; i < rawHash.length; i++) {
var hashVal = rawHash[i];
if (hashVal < 0) {
hashVal += 256;
}
if (hashVal.toString(16).length == 1) {
txtHash += '0';
}
txtHash += hashVal.toString(16);
}
return txtHash;
}Save the project and return to the table.
In cell B2, add the formula “=MD5(A2)” and drag the formula down (to the last row).
In cell C2, add the formula:
=image(“https://secure.gravatar.com/avatar/"&B2)
and drag the formula down (to the last row).
Now if a user has a photo uploaded to Gravatar, we will see it!
Open Extensions → Apps Script again. Add another very simple function and save project:
function loadJSON(hash)
{
var response = UrlFetchApp.fetch("https://en.gravatar.com/"+hash+".json");
answer = response.getContentText();
return answer;
}
Return to the table and put this formula to D2:
=loadJSON(B2)
Now you see not only avatars, but also information about users: nicknames, names, locations, etc.
And now the very last function in this section. I’m adding it especially for those who will work with a big list and who find it hard to read every JSON string.
Open script editor, add following code and save project:
function viewLogin(data)
{
var parsedJSON = JSON.parse(data);
login = parsedJSON.entry[0].preferredUsername;
return login;
}
Add “=viewLogin(D2)” to E2 cell.
Now in column E we have the nicknames of the users.
Similarly, you can write functions for all the other fields that are in the JSON file with Gravatar profile information (change entry[0].preferredUsername to path to other field).
To quickly find the path to a particular field in a JSON file, use special services. For example https://jsonpath.com/.
4. Guessing email by hash
The opposite is often the case. When a link to a picture or Gravatar profile is used to find out a person’s email address.
The first thing you can do — is to go to any online service called MD5 decrypt and try to “decrypt” the string (in fact, such services simply search their database, because MD5 decryption is a very resource-intensive process). Occasionally, this action can bring results.
You can also use different tools and services to search for hashes on leaks. There are quite a few of them and I won’t list them to finish this article quickly.
And there is a third, quick and free way, which in quite a few cases is effective. This is guessing a person’s possible e-mail address.
I will describe with a simple example how it works. Suppose we opened the Gravatar profile of a person and found out that his nickname is johnsmit333. Based on that, we can assume that he probably has an email: johhsmit333@gmail.com, joshsmit333@outlook.com, joshsmit333@yahoo.com etc.
Create a new sheet in the same document that you used in the last example. In column A, put the emails, in column B, count their hashes (the same as in the example above), and in cell G2 add the hash from the Gravatar profile.
And add following formula to C2 (and drug down):
=if(B2=$G$2,”yes”)
If the email is guessed right and it matches the one used to register with Gravatar, the column will show “yes”.
Now that you understand the general principle, it remains to answer the main question: “How to generate the maximum possible number of variants of user e-mail addresses?”.
This is very large topic that needs other article. For start, you can use special online services called “Email permulators”. There are a lot of them and for maximum effect it is better to combine them together.
Some additional material on nickname investigation subject can be found in this thread:
