A user enumeration technique discovered by security researcher Carlo Di Dato demonstrates how Gravatar can be abused for mass data collection of its profiles by web crawlers and bots.
Gravatar is an online avatar service that lets users set and use a profile picture (avatar) across multiple websites that support Gravatar.
The most recognizable use cases of Gravatar are perhaps WordPress websites integrated with the service and GitHub.
While data provided by Gravatar users on their profiles is already public, the easy user enumeration aspect of the service with virtually no rate limiting raises concerns with regards to the mass collection of user data.
How to access a Gravatar profile (officially)
In our demonstration of this bug, we will use the profile "beau" that is mentioned in Gravatar's docs. This profile belongs to Beau Lebens, Head of Product Engineering for WooCommerce at Automattic.
According to Gravatar's official documentation, the URL structure of a Gravatar profile consists of either a username or an MD5 hash of the email address associated with that profile.
This means a profile with a username "beau" can be accessed at https://en.gravatar.com/beau or by navigating to https://www.gravatar.com/205e460b479e2e5b48aec07710c08d50 which will ultimately redirect a visitor to the user's public Gravatar page.
This is no problem: in either of these cases, Beau's Gravatar username or MD5 parameters could not be easily predicted by a visitor and had to be known beforehand.
However, an additional method of accessing user data not disclosed in the docs includes simply using a numeric ID associated with each profile to fetch data.
Hidden URL route enables user enumeration
Italian security researcher Carlo Di Dato on discovering this possibility reached out to BleepingComputer this week after failing to get concrete action from Gravatar.
As can be observed in Beau's example profile above, clicking on the "JSON" link on the page, leads to http://en.gravatar.com/beau.json returning JSON representation of profile data.
Source: BleepingComputer
The field "id" in the JSON blob immediately caught Di Dato's attention.
A hidden API route in the service enables anyone to obtain the user's JSON data by simply using the profile "id" field.
"I spotted an interesting field named 'id' (it's an integer value). The next step was to test if my profile was accessible using the 'id'," the researcher told BleepingComputer.
"So I browsed to http://en.gravatar.com/ID.json and it worked. Now that I know I can access [the user's JSON data] using an integer value, the next logical step was to check if I can perform a user enumeration," he continued.
By writing a simple test script that sequentially visits profile URLs from IDs 1 to 5000 (as shown below), Di Dato was able to collect JSON data of the first 5000 Gravatar users with no issues.
http://en.gravatar.com/1.json
http://en.gravatar.com/2.json
http://en.gravatar.com/3.json
http://en.gravatar.com/4.json
...
"If you take a look at the JSON file, you will find a lot of interesting information. The danger of this kind of issue is that a malicious user could download a huge amount of data and perform any kind of social engineering attack against legit users," said Di Dato.
In our tests, BleepingComputer could confirm certain user profiles had more public data than the others, for example, BitCoin wallet addresses, phone numbers, location, etc.
The users who create public profiles on Gravatar consent to making this data publicly available, so this is not a data leak or a privacy issue in that regard.
"Of course, Mr. Stephen knows that registering on Gravatar, his data will be publicly accessible. What I'm almost sure he doesn't know, is that I was able to retrieve this data querying Gravatar in a way which should not be possible," stated Di Dato.
He continued, "As Gravatar states in its guides, I should have Mr. Stephen's email address or his Gravatar user name to perform the query. Without this information, it should have been almost impossible for me to get Mr. Stephen's data, right?"
An issue like this becomes problematic because any web crawler or bot can now sequentially query virtually the entire Gravatar database, and harvest public user data very easily thanks to this little known but effective technique.
In the past, criminals have scraped Facebook profile data in bulk using its APIs and sold the dumps on the dark web for profit.
BleepingComputer emailed Gravatar for comment but we have not yet received a response from them.
Comments
MoneyEngage - 4 months ago
<p>Gravatar user profile settings page clearly mentions that whatever information users enter in their profile will become public information as Gravatar is a public avatar service. Here is the screenshot where it is clearly mentioned that whatever information you share will become public: https://i.imgur.com/qfiNohO.png Bleeping computer, please do not allow publishing of such articles as data breach.</p>
AxSharma - 4 months ago
Hi there,
The article is from 2020 and it appears the sudden traction to this article is coming from the recent HaveIBeenPwned disclosure. The article clearly communicates Gravatar data is already public in the lede and the issue highlighted here is the ease of data scraping and no rate limiting controls on Gravatar, rather than "data breach" - there is no mention of a "breach" prior to your comment:
"While data provided by Gravatar users on their profiles is already public, the easy user enumeration aspect of the service with virtually no rate limiting raises concerns with regards to the mass collection of user data."
...
"The users who create public profiles on Gravatar consent to making this data publicly available, so this is not a data leak or a privacy issue in that regard."
do_not_leave_mail - 3 months ago
you simply don't understand.
MoneyEngage - 4 months ago
Also the ID json enumeration issue mentioned on this page does not work anymore.
So URLs like these do not show any data:
http://en.gravatar.com/ID.json
http://en.gravatar.com/ID
http://en.gravatar.com/1428.json
http://en.gravatar.com/1428
This article should be updated to reflect that!
Rrtid54 - 4 months ago
I'm just pointing out that the article is from October, 2020, and I'm guessing that Gravatar has made changes to address the security error.
BigBodyBigFoot - 4 months ago
<p>bro this article is over a year old. don't ask for them to update something so old</p>
MoneyEngage - 4 months ago
Hey Bro. I understand. But, this particular BleepingComputer.com article has been linked to Today (Dec 5 2021) by haveibeenpwnded.com https://haveibeenpwned.com/PwnedWebsites#Gravatar - they have linked to this outdated article citing a recently added breach: https://i.imgur.com/hSxGE4f.png
Rwaldot - 4 months ago
Those unsalted MD5 hashes taken together with the ability to access all the profiles incrementally effectively made Gravatar a bulk-harvestable data trove. And that included potentially private email addresses, which weren't necessarily on the profile.
I agree it's not a very big deal as far as account pwnage goes... but the exposure was well worth reporting on IMHO. I was also glad to see it included in HIBP.
wegotpwned - 4 months ago
LOL Gravatar SCREWED UP BIG TIME by doing things in such an evidently amateurish way in the first place (what happened at the code review, IF THERE WAS ANY?), and it doesn't matter if the issue was fixed because it's TOO LATE! The cat's outta the bag, and why the ____ are you defending them unless you're an employee?
Jyk7IERST1AgVEFCTEUg - 4 months ago
This is the important part of that release: "114 million of the MD5 hashes were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data."
The article is simply stating how the original hashes were obtained.
quicksite - 4 months ago
I'm not an engineer or techie. Could someone advise what is my corrective action here? I'm supposed to update my p/w at gravatar.com ?
Lawrence Abrams - 4 months ago
Only your email was exposed, not your password.
Can be used for targeted phishing to try and steal passwords.
little_wolf123 - 4 months ago
I never created Gravatar account, yet my email address is on the recent HIBP breach list. Furthermore, when I try to login to Gravatar I see it uses ONLY Wordpress account for login (I do have Wordpress account). Any reasonable explanation for both of these points?
do_not_leave_mail - 3 months ago
Well, Wordpress is a lucky strike, they go arm in arm with Gravatar.
How about me, never had any of their services, but I'm in in the gravatar breach.
Gravatar says people go with public profile so information is there to be seen from everyone, but this is the first time my email is in a data breach and wtf associated with their website never heard before, no-one is able to explain that to me, my G account is safe and sound as my computer. The way they defend themself stink.