The security alert company HaveIBeenPwned notified users that the profile information of 114 million Gravatar users had been leaked online, considering it a data breach. Gravatar denies being hacked.
Here’s a screenshot of the email sent to HaveIBeenPwned users that characterized the Gravatar event as a data breach:
I hate getting emails from this guy 😭
— Troy Hunt (@troyhunt) December 6, 2021
Gravatar Enumeration Vulnerability
The user information of every person with a Gravatar account was open to being downloaded using software that “scrapes” the data.
While technically that is not a breach, the manner in which user information was stored by Gravatar made it easy for a person with malicious intent to obtain user information, which could then be used as part of another attack to gain passwords and access.
Gravatar accounts are public information. However, the individual user profile accounts are not publicly listed in a way that can easily be browsed. Ordinarily, a person would have to know account information like the username to find the account and all the publicly available information.
A security researcher discovered in late 2020 that Gravatar user account information was recorded in numerical order. A news report from the time described how the security researcher peeked into a JSON file linked in the profile page that revealed an ID number corresponding to the numerical number assigned to that user.
The problem with that user identification number is that the profile could be reached with that number.
Because the number was not randomly generated but in numerical order, anyone wishing to access all the Gravatar usernames could obtain that information by requesting and scraping the user profiles in numerical order.
Data Scraping Event
A data breach is defined as when an unauthorized person gains access to information that is not publicly available.
The Gravatar information was publicly available, but an outsider would have to know the username of the Gravatar user to gain access to the Gravatar user profile. Additionally, the email address of that user was stored in an insecure encrypted manner (called an MD5 hash).
An MD5 hash is insecure and can easily be unencrypted (also known as cracked). Storing email addresses in the MD5 format provided only minor security protection.
That means that once an attacker downloaded the usernames and the email MD5 hash, it was a simple matter for the user’s email address to be extracted.
According to the security researcher who initially discovered the username enumeration vulnerability, Gravatar had "virtually no rate limiting," which means that a scraper bot could request millions of user profiles without being stopped or challenged for suspicious behavior.
According to the news report from October 2020 that originally divulged the vulnerability:
“While data provided by Gravatar users on their profiles is already public, the easy user enumeration aspect of the service with virtually no rate limiting raises concerns with regards to the mass collection of user data.”
Gravatar Minimizes User Data Collection
Gravatar tweeted public statements that minimized the impact of user information collection.
Gravatar helps establish your identity online with an authenticated profile. We’re aware of the conversation online that claims Gravatar was hacked, so we want to clear up the misinformation. (1/4)
— Gravatar.com (@gravatar) December 6, 2021Gravatar was not hacked. Our service gives you control over the data you want to share online. The data you choose to share publicly is made available via our API. Users can choose to share their full name, display name, location, email address, and a short biography. (2/4)
— Gravatar.com (@gravatar) December 6, 2021Last year, a security researcher scraped public Gravatar data – usernames and MD5 hashes of email addresses used to reference users’ avatars by abusing our API. We immediately patched the ability to harvest the public profile data en masse. (3/4)
— Gravatar.com (@gravatar) December 6, 2021
The final tweet in the series from Gravatar encouraged readers to learn how Gravatar works.
Ironically, Gravatar linked to an insecure protocol of the URL, using HTTP. Upon reaching the URL, there was no redirect on Gravatar to a secure (HTTPS) version of the web page, which only undermined their efforts to project a sense of security.
Twitter Users React
One Twitter user objected to the use of the word “breach” because the information was publicly available.
I think it was unfair of @troyhunt to classify that as a breach. It was screen scraping, they didn’t get anything that wasn’t already publicly available.
— Peter Morris #BlackLivesMatterToo (@MrPeterLMorris) December 6, 2021
The person behind the HaveIBeenPwned website responded:
That’s why it says “scraped data”. But you could also argue that “breach” is appropriate when the data is obtained and misused outside the intended scope with which it was provided.
— Troy Hunt (@troyhunt) December 6, 2021
Why Gravatar Scraping Event Is Important
Troy Hunt, the person behind the HaveIBeenPwned website, explained in a series of tweets why the Gravatar scraping event is important.
Troy asserted that the data users entrusted to Gravatar was used in a way that was unexpected.
The argument of "well, it’s public data anyway" is a view held by the minority. The vast majority of people consistently say "I didn’t expect my data to be used in this way and I’m unhappy it’s now out there and being passed around in this format".
— Troy Hunt (@troyhunt) December 6, 2021What can you actually do about it? People often request that the impacted service delete their data. That obviously doesn’t put the genie back in the bottle, but it’s a reasonable action once trust is eroded.
— Troy Hunt (@troyhunt) December 6, 2021
Users Want Control Over Their Gravatar Information
Troy asserted that users want to be aware of how their information is used and accessed.
At the very least, it’s awareness. I want to know – most people want to know – when our personal data appears in places we didn’t expect it to, and that’s precisely what @haveibeenpwned does.
— Troy Hunt (@troyhunt) December 6, 2021
Were Gravatar Users Pwned?
An argument could be made that a Gravatar account can be public but not easily harvested as Step One of a hacking event by people with malicious intent.
Gravatar asserted that after the enumeration attack vulnerability was disclosed, they took steps to close it to prevent further downloading of user information.
So, on the one hand, Gravatar took steps to prevent those with malicious intent from harvesting user information. But on the other hand, they said reports of Gravatar being hacked are misinformation.
But the fact is that HaveIBeenPwned did not call it a hacking event; they called it a breach.
An argument could be made that Gravatar’s use of the MD5 hash for storing email data was insecure, and the moment hackers cracked the insecure encryption, the abnormal scraping of “public information” became a breach.
Many Gravatar Users Aren’t Happy and Seek Answers
Will you be publishing this info on your site? People who received the Gravatr notice from Have I been Pwned will visit your site for the latest information. I checked, there’s nothing on your site. Gravatar users shouldn’t be forced to contact support for answers.
— Deborah Edwards-Oñoro (@redcrew) December 6, 2021