89

We've recently discovered a vulnerability in our identicon generation process. To remedy it, we have changed how we approach generating them and regenerated all identicons. We do not have any indication that any personally identifiable information (PII) was leaked as part of this vulnerability.

Since 2013, we've been salting all identicon hashes, but still using email and IP addresses to generate them. Because of the sensitive nature of this type of data, we're moving entirely away from this method and instead will use an implementation going forward that does not involve any user-related information. Out of an abundance of caution, we're also forcibly changing all identicons across the Stack Exchange network, and chose to wait to communicate the change to you until the process was further along.

What are identicons?
Identicons are the default avatars we generate for users when they sign up.

Identicon Example

I really liked my identicon, can I get it back?
While we do not recommend you to continue using your old identicon, we can give you back the image so that you may upload it as a custom avatar. Please contact us asking for it and we'll be able to give you the image.

Improve this question
23
  • 5
    I see my new one on some sites (MSE, SO), but some sites still have my old one (AU). I realize that the post says "across the Stack Exchange network", but just to double-check, is this just a case of "blame caching" or is that a bug somewhere? Thanks!
    – cocomac
    Commented May 12, 2023 at 19:16
  • 8
    @cocomac the change is still being processed, it should be changed soon as it makes its way across the sites.
    – Cesar M StaffMod
    Commented May 12, 2023 at 19:19
  • 2
    @ShadowTheSpringWizard This solves two issues with Gravatar, but not the others. If this trend continues, they'll be fixing the "uses Gravatar" issue eventually. I'm optimistic we might get all the major privacy issues resolved.
    – wizzwizz4
    Commented May 12, 2023 at 22:11
  • 3
    huh. I wonder if the vulnerability had anything to do with a bunch of yucky profiles I found on SO previously all having the same identicon (no longer the case due to this change). those accounts were all batch created near the same time.
    – starball
    Commented May 12, 2023 at 23:20
  • 5
    @Samathingamajig if your Identicon hasn't been regenerated yet, you'll see that behavior - it's offering a freshly regenerated one every time you open it. Once you get a new Identicon (through our regeneration or if you set it to Identicon again), you will see the same one every time, which is the behavior you're expecting.
    – Kyle Pollard StaffMod
    Commented May 13, 2023 at 2:15
  • 10
    I do realize y'all are busy but having some notice before the cheese is moved is generally appreciated
    – Journeyman Geek Mod
    Commented May 13, 2023 at 4:32
  • 11
    @JourneymanGeek in this case it was a conscious decision not to comment/announce until the process was further along. Generally, we notify before. In this case we believe the right action was not to. That's also why the offer to have it recovered through the contact form is there (no forewarning).
    – Cesar M StaffMod
    Commented May 13, 2023 at 4:48
  • 19
    Make this [featured] maybe?
    – EvgenKo423
    Commented May 13, 2023 at 5:48
  • 2
    Could you provide more details on what data will be used instead for a hash and are there any user actions that will cause it to change again?
    – EvgenKo423
    Commented May 13, 2023 at 7:41
  • 9
    @EvgenKo423 it's just a random hash now, it shouldn't change
    – Kyle Pollard StaffMod
    Commented May 13, 2023 at 8:32
  • 8
    I wonder how feasible it was to actually recover email/IP given the salting present in the algorithm. (plus there's the issue of web.archive.org so realistically...)
    – user202729
    Commented May 14, 2023 at 2:18
  • 2
    So the reason behind the change was a possibility to retreive the personal data?
    – maciejwww
    Commented May 14, 2023 at 15:07
  • 4
    @Idontgetit your name should not have been changed with the Identicon regeneration, let me dig into that
    – Kyle Pollard StaffMod
    Commented May 19, 2023 at 17:52
  • 4
    @Idontgetit your display name on MSE is coming from your network-wide default profile which has the display name "Idontgetit". The same would be true for your MathSE profile. I believe this is set when you save your profile and select "Save and copy changes to all public communities". The profile overriding system is a bit unintuitive, so let me know if I've missed something or if you still need help.
    – Kyle Pollard StaffMod
    Commented May 19, 2023 at 17:59
  • 13
    A number of post are coming up on different meta sites concerning users having their profile picture randomly changed. I think because of that this post should be featured.
    – Henry WH Hack v3.0
    Commented May 22, 2023 at 21:27

0

Reset to default

You must log in to answer this question.