Gravatar “Breach” Exposes Information of 100+ Million Customers

The safety alert firm HaveIBeenPwned notified customers that the profile info of 114 million Gravatar customers had been leaked on-line in what they characterised as a knowledge breach. Gravatar denies that it was hacked.

Right here’s a screenshot of the e-mail that was despatched to HaveIBeenPwned customers that characterised the Gravatar occasion as a knowledge breach:

 

I hate getting emails from this man ? pic.twitter.com/rkZrmzU7hp

— Troy Hunt (@troyhunt) December 6, 2021

Gravatar Enumeration Vulnerability

The person info of each individual with a Gravatar account was open to being downloaded utilizing software program that “scrapes” the information.

Whereas technically that’s not a breach, the style by which person info was saved by Gravatar made it simple for an individual with malicious intent to acquire person info which may then be used as a part of one other assault to achieve passwords and entry.

Gravatar accounts are public info. Nonetheless the person person profile accounts should not publicly listed in a approach that may simply be browsed. Ordinarily an individual must know account info just like the username with a purpose to discover the account and all of the publicly out there info.

A safety researcher found in late 2020 that Gravatar person account info was recorded in numerical order. A information report from the time described how the safety researcher peeked right into a JSON file linked within the profile web page revealed an ID quantity that corresponded to the numerical quantity assigned to that person.

The issue with that person identification quantity is that the profile might be reached with that quantity.

As a result of the quantity was not randomly generated however in numerical order, anybody wishing to entry the the entire Gravatar usernames may entry that info by requesting and scraping the person profiles in numerical order.

Information Scraping Occasion

A knowledge breach is outlined as when an unauthorized individual features entry to info that’s not publicly out there.

The Gravatar info was publicly out there however an outsider must know the username of the Gravatar person with a purpose to achieve entry to the Gravatar person profile. Moreover the e-mail deal with of that person was saved in an insecure encrypted method (referred to as an MD5 hash).

An MD5 hash is insecure and may simply be unencrypted (often known as cracked). Storing e-mail addresses within the MD5 format offered solely minor safety safety.

That signifies that as soon as an attacker downloaded the usernames and the e-mail MD5 hash it was then a easy matter for the person’s e-mail deal with to be extracted.

In accordance with the safety researcher who initially found the username enumeration vulnerability, Gravatar solely had “nearly no price limiting” which signifies that a scraper bot may request thousands and thousands of person profiles with out being stopped or challenged for suspicious habits.

In accordance with the information report from October 2020 that initially divulged the vulnerability:

“Whereas knowledge offered by Gravatar customers on their profiles is already public, the straightforward person enumeration side of the service with nearly no price limiting raises considerations as regards to the mass assortment of person knowledge.”

Gravatar Minimizes Consumer Information Assortment

Gravatar tweeted public statements that minimized the affect of the person info assortment.

Gravatar helps set up your id on-line with an authenticated profile. We’re conscious of the dialog on-line that claims Gravatar was hacked, so we wish to clear up the misinformation. (1/4)

— Gravatar.com (@gravatar) December 6, 2021

Gravatar was not hacked. Our service offers you management over the information you wish to share on-line. The information you select to share publicly is made out there through our API. Customers can select to share their full title, show title, location, e-mail deal with, and a brief biography.
(2/4)

— Gravatar.com (@gravatar) December 6, 2021

Final yr, a safety researcher scraped public Gravatar knowledge – usernames and MD5 hashes of e-mail addresses used to reference customers’ avatars by abusing our API. We instantly patched the power to reap the general public profile knowledge en masse. (3/4)

— Gravatar.com (@gravatar) December 6, 2021

The final tweet within the sequence from Gravatar inspired readers to learn the way Gravatar works:

“If you wish to study extra about how Gravatar works or modify the information shared in your profile, please go to http://Gravatar.com.”

Paradoxically, Gravatar linked to an insecure protocol of the URL, utilizing HTTP. Upon reaching the URL there was no redirect on Gravatar to a safe (HTTPS) model of the net web page, which solely undermined their efforts to undertaking a way of safety.

Twitter Customers React

One Twitter person objected to the usage of the phrase “breach” as a result of the data was publicly out there.

I believe it was unfair of @troyhunt to categorise that as a breach. It was display screen scraping, they did not get something that wasn’t already publicly out there.

— Peter Morris #BlackLivesMatterToo (@MrPeterLMorris) December 6, 2021

The individual behind the HaveIBeenPwned web site responded:

That’s why it says “scraped knowledge”. However you could possibly additionally argue that “breach” is suitable when the information is obtained and misused exterior the meant scope with which it was offered.https://t.co/FwiqpUFSsp

— Troy Hunt (@troyhunt) December 6, 2021

Why Gravatar Scraping Occasion Is Vital

Troy Hunt, the individual behind the HaveIBeenPwned web site defined in a sequence of tweets why the Gravatar scraping occasion is necessary.

Troy asserted that the information that customers entrusted to Gravatar was utilized in a approach that was sudden.

Gravatar Consumer Belief Eroded

The argument of “properly, it is public knowledge anyway” is a view held by the minority. The overwhelming majority of individuals persistently say “I did not count on my knowledge for use on this approach and I am sad it is now on the market and being handed round on this format”.

— Troy Hunt (@troyhunt) December 6, 2021

What are you able to truly do about it? Individuals typically request that the impacted service delete their knowledge. That clearly does not put the genie again within the bottle, nevertheless it’s an inexpensive motion as soon as belief is eroded.

— Troy Hunt (@troyhunt) December 6, 2021

Customers Need Management Over Their Gravatar Data

Troy asserted that customers need to pay attention to how their info is used and accessed.

On the very least, it is consciousness. I wish to know – *most* folks wish to know – when our private knowledge seems in locations we did not count on it to, and that is exactly what @haveibeenpwned does.

— Troy Hunt (@troyhunt) December 6, 2021

Have been Gravatar Customers Pwned?

An argument might be made {that a} Gravatar account might be public however not simply harvested as Step One in every of a hacking occasion by folks with malicious intent.

Gravatar asserted that after the enumeration assault vulnerability was disclosed that they took steps to shut it to forestall additional downloading of person info.

So on the one hand Gravatar took steps to forestall these with malicious intent from harvesting person info. However however they stated studies of Gravatar being hacked is misinformation.

However the reality is that HaveIBeenPwned didn’t name it a hacking occasion, they referred to as it a breach.

An argument might be made that Gravatar’s use of the MD5 hash for storing e-mail knowledge was insecure and the second hackers cracked the insecure encryption, the irregular scraping of “public info” turned a breach.

Many Gravatar customers aren’t significantly completely happy and are searching for solutions:

Will you be publishing this information in your website?

Individuals who acquired the Gravatr discover from Have I been Pwned will go to your website for the most recent info.

I checked, there’s nothing in your website.

Gravatar customers should not be pressured to contact assist for solutions.

— Deborah Edwards-Oñoro (@redcrew) December 6, 2021