Gravatar

Last updated
Gravatar
Logo Gravatar.png
Gravatar Homepage.jpg
Type of site
Avatar hosting
Owner Automattic
Created by Tom Preston-Werner
URL gravatar.com
CommercialYes
RegistrationOptional

Gravatar (a portmanteau of globally recognized avatar) is a service for providing globally unique avatars and was created by Tom Preston-Werner. Since 2007, it has been owned by Automattic, having integrated it into their WordPress.com blogging platform.

Contents

Functionality

On Gravatar, users can register an account based on their email address, and upload an image of their choice to be associated with that email address. Gravatar plugins are available for popular blogging software; when the user posts a comment on such a blog that requires an email address, the blogging software checks whether that email address has an associated avatar at Gravatar. If so, the Gravatar is shown along with the comment. Gravatar support is provided natively in WordPress as of v2.5 [1] and in web based project management application Redmine beginning with version 0.8. [2] Support for Gravatar is also provided via third-party modules for web content management systems such as Drupal and MODX. [3] [4]

A user's profile data is available in a number of metadata standards, including hCard, JSON, XML, PHP, and vCard as well as via QR codes. The raw data formats (JSON, XML, and PHP) use the Portable Contacts standard. [5]

A Gravatar image can be up to 2048 pixels wide, is always square and is displayed at 80 by 80 pixels by default. [6] If the uploaded avatar is larger or smaller, the avatar is scaled appropriately. Each Gravatar is rated with an MPAA-style age recommendation, allowing webmasters to control the content of the Gravatars displayed on their website.

Webmasters can also configure their system to automatically display an Identicon when a user has no registered Gravatar.

History

For some time, the Gravatar service remained unmaintained. The maker became busy with working on a new version of the service, as Gravatar's popularity grew and more bandwidth was required. On 16 February 2007, [7] "Gravatar 2.0" was launched. Besides an improved server script, users also noticed other improvements, such as being able to crop and use an image already hosted on the web. Support for two gravatars per account was added, between which the user can easily switch. "Gravatar Premium" was also launched, allowing unlimited email addresses and Gravatars per account.

On 11 June 2007, Tom Preston-Werner announced that 32,000 new users had signed up since the launch of Gravatar 2.0. [8]

On 18 October 2007, Automattic acquired Gravatar. [9] After doing so, they offered all previously paid services at no cost, improved server response time,[ better source needed ] and refunded those who had recently paid for service. [10]

Matt Mullenweg announced on The Big Web Show on 2 December 2010 that Gravatar was serving approximately 20 billion images per day. [11]

Security concerns and data breaches

Gravatars are loaded from the Gravatar web server, using a URL containing an MD5 hash of the associated email address. This method has, however, been shown to be vulnerable to dictionary attacks and rainbow table approaches.

In 2009, it was demonstrated that over 10% of the email addresses of a set of forum users could be determined from the Gravatar URLs combined with the forum user names. [12]

Subsequently, in 2013, security researcher Dominique Bongard presented that he was able to determine 45% of the email addresses used to post comments on a well-known French political forum by using Gravatar URLs and the open source Hashcat password cracking tool. [13]

Given that Hashcat uses graphics processing units to achieve high-efficiencies at cracking hashes, it has been proposed that as GPU technology and performance continues to improve, that Gravatar hashes will only become easier to crack over time as a result. [14] This is in addition to the fact that the MD5 hashing algorithm itself is severely compromised and unfit for cryptographic applications; the CMU Software Engineering Institute has recommended against its use in any capacity since the end of 2008. [15]

In October 2020, a technique for scraping large volumes of data from Gravatar was exposed by Carlo di Dato, a security researcher, after being ignored by Gravatar when he raised his concerns with them. 167 million names, usernames and MD5 hashes of email addresses used to reference users' avatars were subsequently scraped and distributed within the hacking community. 114 million of the MD5 hashes were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data, with email account holders able to check whether their addresses have been leaked using Have I Been Pwned. [16] [17]

Related Research Articles

<span class="mw-page-title-main">Password</span> Used for user authentication to prove identity or access approval

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

<span class="mw-page-title-main">GNOME Evolution</span> Personal information manager software and workgroup information management tool for GNOME

GNOME Evolution is the official personal information manager for GNOME. It has been an official part of GNOME since Evolution 2.0 was included with the GNOME 2.8 release in September 2004. It combines e-mail, address book, calendar, task list and note-taking features. Its user interface and functionality is similar to Microsoft Outlook. Evolution is free software licensed under the terms of the GNU Lesser General Public License (LGPL).

In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system in scrambled form. A common approach is to repeatedly try guesses for the password and to check them against an available cryptographic hash of the password. Another type of approach is password spraying, which is often automated and occurs slowly over time in order to remain undetected, using a list of common passwords.

passwd Tool to change passwords on Unix-like OSes

passwd is a command on Unix, Plan 9, Inferno, and most Unix-like operating systems used to change a user's password. The password entered by the user is run through a key derivation function to create a hashed version of the new password, which is saved. Only the hashed version is stored; the entered password is not saved for security reasons.

The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.

WordPress is a web content management system. It was originally created as a tool to publish blogs but has evolved to support publishing other web content, including more traditional websites, mailing lists and Internet forum, media galleries, membership sites, learning management systems and online stores. Available as free and open-source software, WordPress is among the most popular content management systems – it was used by 43.1% of the top 10 million websites as of December 2023.

<span class="mw-page-title-main">Web feed</span> Data format

On the World Wide Web, a web feed is a data format used for providing users with frequently updated content. Content distributors syndicate a web feed, thereby allowing users to subscribe a channel to it by adding the feed resource address to a news aggregator client. Users typically subscribe to a feed by manually entering the URL of a feed or clicking a link in a web browser or by dragging the link from the web browser to the aggregator, thus "RSS and Atom files provide news updates from a website in a simple form for your computer."

<span class="mw-page-title-main">Digest access authentication</span> Method of negotiating credentials between web server and browser

Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.

<span class="mw-page-title-main">Matt Mullenweg</span> American entrepreneur and web developer

Matthew Charles Mullenweg is an American entrepreneur and web developer living in Houston. He is known for developing and founding the free and open-source web software WordPress, and its parent company Automattic.

In computer hypertext, a URI fragment is a string of characters that refers to a resource that is subordinate to another, primary resource. The primary resource is identified by a Uniform Resource Identifier (URI), and the fragment identifier points to the subordinate resource.

<span class="mw-page-title-main">WordPress.com</span> Blogging platform owned and hosted online by Automattic

WordPress.com is a web building platform for self-publishing that is popular for blogging and other works. It is owned and operated by Automattic, Inc. It is run on a modified version of WordPress software. This website provides free blog hosting for registered users and is financially supported via paid upgrades, "VIP" services and advertising.

Automattic Inc. is an American global distributed company which was founded in August 2005 and is most notable for WordPress.com, as well as its contributions to WordPress. The company's name is a play on founder Matt Mullenweg's first name and automatic.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by Group Policy settings, for which different versions of Windows have different default settings.

Cain and Abel was a password recovery tool for Microsoft Windows. It could recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks were done via rainbow tables which could be generated with the winrtgen.exe program provided with Cain and Abel. Cain and Abel was maintained by Massimiliano Montoro and Sean Babcock.

<span class="mw-page-title-main">Identicon</span>

An Identicon is a visual representation of a hash value, usually of an IP address, that serves to identify a user of a computer system as a form of avatar while protecting the user's privacy. The original Identicon was a 9-block graphic, and the representation has been extended to other graphic forms by third parties.

A suppression list is a list of suppressed e-mail addresses used by e-mail senders to comply with the CAN-SPAM Act of 2003. CAN-SPAM requires that senders of commercial emails provide a functioning opt-out mechanism by which email recipients can unsubscribe their email address from future email messages. The unsubscribed email addresses are placed into a "suppression list" which is used to "suppress" future email messages to that email address.

A single-page application (SPA) is a web application or website that interacts with the user by dynamically rewriting the current web page with new data from the web server, instead of the default method of a web browser loading entire new pages. The goal is faster transitions that make the website feel more like a native app.

LastPass is a password manager application owned by GoTo. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets.

Schema.org is a reference website that publishes documentation and guidelines for using structured data mark-up on web-pages. Its main objective is to standardize HTML tags to be used by webmasters for creating rich results about a certain topic of interest. It is a part of the semantic web project, which aims to make document mark-up codes more readable and meaningful to both humans and machines.

ShinyHunters is a criminal black-hat hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.

References

  1. "Wordpress Codex — Using Gravatars". Codex.wordpress.org. Retrieved 2009-12-10.
  2. "Redmine v0.8.0 RC1 changelog". Redmine.org. Retrieved 2014-01-06.
  3. "Drupal Gravatar Integration". Drupal.org. 2007-11-24. Retrieved 2009-12-10.
  4. "MODx Gravatar Extension". MODx.com. 2011-01-21. Retrieved 2016-01-05.
  5. "Open Profile Data". Gravatar Blog. Gravatar. Retrieved 27 September 2011.
  6. "Gravatar — How the URL is constructed". en.gravatar.com. Retrieved 2009-12-10.
  7. "Welcome to Gravatar 2.0!". blog.gravatar.com. 2007-02-16. Retrieved 2011-07-01.
  8. "Gravatar Blog — Updated Croppr & Stats". blog.gravatar.com. 2007-06-11. Retrieved 2009-12-10.
  9. Riley, Duncan (2007-10-17). "Automattic Acquires Gravatar". TechCrunch. Retrieved 2010-08-03.
  10. "Gravatar Blog — Automattic Acquires Gravatar". blog.gravatar.com. 2007-10-18. Retrieved 2009-12-10.
  11. "The Big Web Show #29: Matt Mullenweg on 5by5 (41m40s)" (MP3 audio, MP4 video). 5by5 Studios. 2010-12-02. Retrieved 2010-12-12.
  12. Gravatars: why publishing your email's hash is not a good idea Developer IT, December 8, 2009
  13. Goodin, Dan (31 July 2013). "Got an account on a site like Github? Hackers may know your e-mail address". Ars Technica. Retrieved 1 October 2021.
  14. Maunder, Mark. "Gravatar Advisory: How to Protect Your Email Address and Identity". Wordfence. Retrieved 1 October 2021.
  15. "CERT Vulnerability Note VU#836068". Kb.cert.org. Retrieved 1 October 2021.
  16. "Online avatar service Gravatar allows mass collection of user info". Bleeping Computer. 3 October 2020. Archived from the original on 6 December 2021.
  17. "Gravatar - 113,990,759 breached accounts". IT Security News. 6 December 2021. Archived from the original on 6 December 2021.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.