Gravatar “Breach” Exposes Information of 100+ Million Customers

Gravatar "Breach" Exposes Data of 100+ Million Users

The safety alert firm HaveIBeenPwned notified customers that the profile info of 114 million Gravatar customers had been leaked on-line in what they characterised as an information breach. Gravatar denies that it was hacked.

Right here’s a screenshot of the e-mail that was despatched to HaveIBeenPwned customers that characterised the Gravatar occasion as an information breach:


Gravatar Breach

Gravatar Enumeration Vulnerability

The person info of each particular person with a Gravatar account was open to being downloaded utilizing software program that “scrapes” the info.


Proceed Studying Under

Whereas technically that isn’t a breach, the way during which person info was saved by Gravatar made it simple for an individual with malicious intent to acquire person info which may then be used as a part of one other assault to achieve passwords and entry.

Gravatar accounts are public info. Nevertheless the person person profile accounts aren’t publicly listed in a manner that may simply be browsed. Ordinarily an individual must know account info just like the username with the intention to discover the account and all of the publicly obtainable info.

A safety researcher found in late 2020 that Gravatar person account info was recorded in numerical order. A information report from the time described how the safety researcher peeked right into a JSON file linked within the profile web page revealed an ID quantity that corresponded to the numerical quantity assigned to that person.

The issue with that person identification quantity is that the profile may very well be reached with that quantity.


Proceed Studying Under

As a result of the quantity was not randomly generated however in numerical order, anybody wishing to entry the the entire Gravatar usernames may entry that info by requesting and scraping the person profiles in numerical order.

Information Scraping Occasion

A knowledge breach is outlined as when an unauthorized particular person features entry to info that isn’t publicly obtainable.

The Gravatar info was publicly obtainable however an outsider must know the username of the Gravatar person with the intention to achieve entry to the Gravatar person profile. Moreover the e-mail handle of that person was saved in an insecure encrypted method (known as an MD5 hash).

An MD5 hash is insecure and might simply be unencrypted (also called cracked). Storing e-mail addresses within the MD5 format supplied solely minor safety safety.

That signifies that as soon as an attacker downloaded the usernames and the e-mail MD5 hash it was then a easy matter for the person’s e-mail handle to be extracted.

In response to the safety researcher who initially found the username enumeration vulnerability, Gravatar solely had “just about no price limiting” which signifies that a scraper bot may request tens of millions of person profiles with out being stopped or challenged for suspicious habits.

In response to the news report from October 2020 that initially divulged the vulnerability:

“Whereas knowledge supplied by Gravatar customers on their profiles is already public, the simple person enumeration side of the service with just about no price limiting raises considerations almost about the mass assortment of person knowledge.”

Gravatar Minimizes Person Information Assortment

Gravatar tweeted public statements that minimized the impression of the person info assortment.


Proceed Studying Under

The last tweet within the collection from Gravatar inspired readers to learn the way Gravatar works:

“If you wish to study extra about how Gravatar works or alter the info shared in your profile, please go to http://Gravatar.com.”

Mockingly, Gravatar linked to an insecure protocol of the URL, utilizing HTTP. Upon reaching the URL there was no redirect on Gravatar to a safe (HTTPS) model of the online web page, which solely undermined their efforts to mission a way of safety.

Twitter Customers React

One Twitter person objected to using the phrase “breach” as a result of the data was publicly obtainable.


Proceed Studying Under

The particular person behind the HaveIBeenPwned web site responded:

Why Gravatar Scraping Occasion Is Necessary

Troy Hunt, the particular person behind the HaveIBeenPwned web site defined in a collection of tweets why the Gravatar scraping occasion is essential.

Troy asserted that the info that customers entrusted to Gravatar was utilized in a manner that was sudden.

Gravatar Person Belief Eroded

Customers Need Management Over Their Gravatar Data

Troy asserted that customers need to pay attention to how their info is used and accessed.


Proceed Studying Under

Had been Gravatar Customers Pwned?

An argument may very well be made {that a} Gravatar account might be public however not simply harvested as Step Certainly one of a hacking occasion by folks with malicious intent.

Gravatar asserted that after the enumeration assault vulnerability was disclosed that they took steps to shut it to forestall additional downloading of person info.

So on the one hand Gravatar took steps to forestall these with malicious intent from harvesting person info. However however they stated experiences of Gravatar being hacked is misinformation.

However the reality is that HaveIBeenPwned didn’t name it a hacking occasion, they known as it a breach.

An argument may very well be made that Gravatar’s use of the MD5 hash for storing e-mail knowledge was insecure and the second hackers cracked the insecure encryption, the irregular scraping of “public info” grew to become a breach.


Proceed Studying Under

Many Gravatar customers aren’t notably glad and are searching for solutions:


Source link

Leave a Reply



Our purpose is to build solutions that remove barriers preventing people from doing their best work.

Giza – 6Th Of October
(Sunday- Thursday)
(10am - 06 pm)