Type of site
|Created by||Tom Preston-Werner|
Gravatar (a portmanteau of globally recognized avatar) is a service for providing globally unique avatars and was created by Tom Preston-Werner. Since 2007, it has been owned by Automattic, having integrated it into their WordPress.com blogging platform.
On Gravatar, users can register an account based on their email address, and upload an image of their choice to be associated with that email address. Gravatar plugins are available for popular blogging software; when the user posts a comment on such a blog that requires an email address, the blogging software checks whether that email address has an associated avatar at Gravatar. If so, the Gravatar is shown along with the comment. Gravatar support is provided natively in WordPress as of v2.5 and in web based project management application Redmine beginning with version 0.8. Support for Gravatar is also provided via third-party modules for web content management systems such as Drupal and MODX.
A user's profile data is available in a number of metadata standards, including hCard, JSON, XML, PHP, and vCard as well as via QR codes. The raw data formats (JSON, XML, and PHP) use the Portable Contacts standard.
A Gravatar image can be up to 2048 pixels wide, is always square and is displayed at 80 by 80 pixels by default. If the uploaded avatar is larger or smaller, the avatar is scaled appropriately. Each Gravatar is rated with an MPAA-style age recommendation, allowing webmasters to control the content of the Gravatars displayed on their website.
Webmasters can also configure their system to automatically display an Identicon when a user has no registered Gravatar.
For some time, the Gravatar service remained unmaintained. The maker became busy with working on a new version of the service, as Gravatar's popularity grew and more bandwidth was required. On 16 February 2007, "Gravatar 2.0" was launched. Besides an improved server script, users also noticed other improvements, such as being able to crop and use an image already hosted on the web. Support for two gravatars per account was added, between which the user can easily switch. "Gravatar Premium" was also launched, allowing unlimited email addresses and Gravatars per account.
On 18 October 2007, Automattic acquired Gravatar. After doing so, they offered all previously paid services at no cost, improved server response time,[better source needed] and refunded those who had recently paid for service.
Security concerns and data breaches
Gravatars are loaded from the Gravatar web server, using a URL containing an MD5 hash of the associated email address. This method has, however, been shown to be vulnerable to dictionary attacks and rainbow table approaches.
In 2009, it was demonstrated that over 10% of the email addresses of a set of forum users could be determined from the Gravatar URLs combined with the forum user names.
Subsequently, in 2013, security researcher Dominique Bongard presented that he was able to determine 45% of the email addresses used to post comments on a well-known French political forum by using Gravatar URLs and the open source Hashcat password cracking tool.
Given that Hashcat uses graphics processing units to achieve high-efficiencies at cracking hashes, it has been proposed that as GPU technology and performance continues to improve, that Gravatar hashes will only become easier to crack over time as a result. This is in addition to the fact that the MD5 hashing algorithm itself is severely compromised and unfit for cryptographic applications; the CMU Software Engineering Institute has recommended against its use in any capacity since the end of 2008.
In October 2020, a technique for scraping large volumes of data from Gravatar was exposed by Carlo di Dato, a security researcher, after being ignored by Gravatar when he raised his concerns with them. 167 million names, usernames and MD5 hashes of email addresses used to reference users' avatars were subsequently scraped and distributed within the hacking community. 114 million of the MD5 hashes were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data, with email account holders able to check whether their addresses have been leaked using Have I Been Pwned.
- "Wordpress Codex — Using Gravatars". Codex.wordpress.org. Retrieved 2009-12-10.
- "Redmine v0.8.0 RC1 changelog". Redmine.org. Retrieved 2014-01-06.
- "Drupal Gravatar Integration". Drupal.org. 2007-11-24. Retrieved 2009-12-10.
- "MODx Gravatar Extension". MODx.com. 2011-01-21. Retrieved 2016-01-05.
- "Open Profile Data". Gravatar Blog. Gravatar. Retrieved 27 September 2011.
- "Gravatar — How the URL is constructed". en.gravatar.com. Retrieved 2009-12-10.
- "Welcome to Gravatar 2.0!". blog.gravatar.com. 2007-02-16. Retrieved 2011-07-01.
- "Gravatar Blog — Updated Croppr & Stats". blog.gravatar.com. 2007-06-11. Retrieved 2009-12-10.
- Riley, Duncan (2007-10-17). "Automattic Acquires Gravatar". TechCrunch. Retrieved 2010-08-03.
- "Gravatar Blog — Automattic Acquires Gravatar". blog.gravatar.com. 2007-10-18. Retrieved 2009-12-10.
- "The Big Web Show #29: Matt Mullenweg on 5by5 (41m40s)" (MP3 audio, MP4 video). 5by5 Studios. 2010-12-02. Retrieved 2010-12-12.
- Gravatars: why publishing your email's hash is not a good idea Developer IT, December 8, 2009
- Goodin, Dan (31 July 2013). "Got an account on a site like Github? Hackers may know your e-mail address". Ars Technica. Retrieved 1 October 2021.
- Maunder, Mark. "Gravatar Advisory: How to Protect Your Email Address and Identity". Wordfence. Retrieved 1 October 2021.
- "CERT Vulnerability Note VU#836068". Kb.cert.org. Retrieved 1 October 2021.
- "Online avatar service Gravatar allows mass collection of user info". Bleeping Computer. 3 October 2020. Archived from the original on 6 December 2021.
- "Gravatar - 113,990,759 breached accounts". IT Security News. 6 December 2021. Archived from the original on 6 December 2021.