The security alert company HaveIBeenPwned notified users that the personal data of 114 million Gravatar users had been leaked online, which they called a data breach. Gravatar denies that it was hacked.
This is a screenshot of the email sent to the HaveIBeenPwned user, which describes the Gravatar incident as a data breach:
I hate to receive emails from this person 😭 pic.twitter.com/rkZrmzU7hp
-Troyhunt (@troyhunt) December 6, 2021
Gravatar enumeration vulnerability
The user information of everyone with a Gravatar account can be downloaded using software that “grabs” data.
advertise
Keep reading below
Although this is not technically a violation, Gravatar stores user information in a way that makes it easy for malicious people to obtain user information, which can then be used as part of another attack to obtain passwords and access permissions.
Gravatar accounts are public information. However, individual user profile accounts are not publicly listed in an easy-to-browse manner. Generally, a person must know account information such as username to find the account and all publicly available information.
A security researcher discovered at the end of 2020 that Gravatar user account information was recorded in numerical order. A news report at the time described how security researchers peeked into the JSON file linked in the profile page, revealing an ID number that corresponds to the number assigned to the user.
The problem with the user identification number is that it can be used to access the configuration file.
advertise
Keep reading below
Since the numbers are not randomly generated, but in numerical order, anyone who wants to access all Gravatar usernames can access that information by requesting and grabbing user profiles in numerical order.
Data capture event
A data breach is defined as an unauthorized person gaining access to non-public information.
Gravatar information is public, but outsiders must know the user name of the Gravatar user to access the Gravatar user profile. In addition, the user’s email address is stored in an insecure encryption method (called an MD5 hash).
MD5 hashes are insecure and can be easily decrypted (also known as cracking). Storing email addresses in MD5 format provides only slight security protection.
This means that once the attacker downloads the user name and email MD5 hash value, it is easy to extract the user’s email address.
According to the security researcher who initially discovered the username enumeration vulnerability, Gravatar has “almost no rate limit”, which means that crawling bots can request millions of user profiles without being blocked or questioned due to suspicious behavior .
according to News report From October 2020, when the vulnerability was initially disclosed:
“Although the data provided by Gravatar users in their personal profiles has been made public, there is almost no rate limit for the simple user enumeration of the service, which raises concerns about large-scale collection of user data.”
Gravatar minimizes user data collection
Gravatar issued a public statement to minimize the impact of user information collection.
Gravatar uses verified personal data to help you establish your identity online. We know that someone on the Internet claims that Gravatar has been hacked, so we want to clarify the misinformation. (1/4)
— Gravatar.com (@gravatar) December 6, 2021
Gravatar has not been hacked. Our service allows you to control the data you want to share online. The data you choose to share publicly is provided through our API. Users can choose to share their full name, display name, location, email address, and a short biography.
(2/4)— Gravatar.com (@gravatar) December 6, 2021
advertise
Keep reading below
Last year, a security researcher abused our API to grab public Gravatar data-usernames and MD5 hashes of email addresses used to reference user avatars. We immediately repaired the ability to collectively collect public data. (3/4)
— Gravatar.com (@gravatar) December 6, 2021
this Last tweet In the Gravatar series, readers are encouraged to understand how Gravatar works:
“If you want to learn more about how Gravatar works or adjust the data shared in your profile, please visit http://Gravatar.com.”
Ironically, Gravatar uses HTTP to link to an insecure URL protocol. After reaching the URL, Gravatar did not redirect to the secure (HTTPS) version of the web page, which would only undermine their efforts to project a sense of security.
Twitter user reaction
A Twitter user opposed the use of “violation“Because the information is public.
I think it is unfair @troyhunt Classify it as a violation. This is a screen capture, they didn’t get anything that hasn’t been made public.
-Peter Morris #BlackLivesMatterToo (@MrPeterLMorris) December 6, 2021
advertise
Keep reading below
The person behind the HaveIBeenPwned website responded:
This is why it says “scraped data”. But you can also argue that a “violation” is appropriate when data is obtained and misused outside the expected scope provided.https://t.co/FwiqpUFSsp
-Troyhunt (@troyhunt) December 6, 2021
Why Gravatar crawl events are important
Troy Hunt, the person behind HaveIBeenPwned, explained in a series of tweets why the Gravatar crawl incident is important.
Troy asserted that the data users entrusted to Gravatar were used in unexpected ways.
Gravatar user trust is eroded
The argument of “Well, it’s public data anyway” is the opinion of a few people. The vast majority of people keep saying “I didn’t expect my data to be used in this way, and I am very upset that it already exists and is delivered in this format”.
-Troyhunt (@troyhunt) December 6, 2021
What can you do? People often ask the affected services to delete their data. This obviously won’t put the elves back in the bottle, but once trust is eroded, this is a reasonable action.
-Troyhunt (@troyhunt) December 6, 2021
Users want to control their Gravatar information
Troy asserts that users want to know how their information is used and accessed.
advertise
Keep reading below
At least, this is a kind of consciousness.I want to know—*most* people want to know—when our personal data appeared in places we didn’t expect, and that’s what @haveibeenpwned Do.
-Troyhunt (@troyhunt) December 6, 2021
Has the Gravatar user been stolen?
An argument can be made that the Gravatar account can be public, but it is not easy to be harvested by someone with malicious intent as the first step in a hacking incident.
Gravatar claims that after the enumeration attack vulnerability was disclosed, they have taken steps to close it to prevent further downloading of user information.
Therefore, on the one hand, Gravatar takes measures to prevent malicious people from collecting user information. On the other hand, they said that the report that Gravatar was hacked was misinformation.
But the fact is, HaveIBeenPwned did not call it a hacking incident, but called it a violation.
It can be said that Gravatar uses MD5 hash to store email data is insecure. Once hackers crack the insecure encryption, the abnormal capture of “public information” becomes a loophole.
advertise
Keep reading below
Many Gravatar users are not particularly happy and are looking for answers:
Will you publish this information on your website?
People who receive Gravatr notifications from Have I been Pwned will visit your site to get the latest information.
I checked and there is nothing on your website.
Gravatar users should not be forced to contact support personnel for answers.
— Deborah Edwards-Onoro (@redcrew) December 6, 2021
