Gravatar has made headlines again thanks to an untended use of its API. Gravatar, created by Tom Preston-Werner and acquired by Automattic in 2007, enables users to upload an image for an avatar and use it across any site that has built-in support for the service.
Have I Been Pwned? recently contacted its users to notify them that their email address may have been part of data that was scraped from Gravatar. The service references an article published on BleepingComputer from 2020 that details how security researcher, Carlo Di Dato, used the Gravatar API to easily enumerate MD5 hashes that are associated with a user’s email address. In addition to email addresses, Dato was able to scrape any information that a user placed in their Gravatar profile.
Gravatar specifies that its service, by design, is to allow users to create a public profile that is consistent across Internet services and websites. This information is shared with all websites that utilize Gravatar.
The security concerns surrounding Gravatar and the way it works have been written about and documented as early as 2009.
- 2009 – Gravatars: why publishing your email’s hash is not a good idea
- 2013 – Got an account on a site like Github? Hackers may know your e-mail address
- 2016 – Gravatar Advisory: How to Protect Your Email Address and Identity
There are two things about this news that sets it apart from other coverage over the years. The first is that this is the first time that I can remember where Gravatar has publicly addressed security issues related to its service. The second is that a security researcher used the API to not only enumerate the MD5 hashed email addresses, but also scraped all of the information that is in user profiles and released it as a data store. Gravatar says it has locked down its API to prevent this type of unintended use from occurring again. It’s important to note that passwords are not part of the scraped data.
In my opinion, an email address is information that a user typically reserves the right to make public or not. I’m willing to bet that most Gravatar users probably didn’t sign up thinking their email address would become public knowledge outside of the sites that utilize the service.
The way in which Gravatar encodes an email address is more like a courtesy than a secure way to keep it from prying eyes. Despite concerns expressed over the years, Gravatar remains as a core feature in WordPress, websites continue to add support for it, and users continue to utilize it.
If you’re looking for an alternative to Gravatar, check out the WP User Avatars plugin by John James Jacoby. This plugin allows users to upload and select their own avatars. By the way, managing Gravatars in WordPress is still a pain in the butt as I highlighted in 2016. The more things change, the more they stay the same.