Gravatar Can Be Abused for Information Collection of Its Profiles
| Gravatar Can Be Abused for Information Collection of Its Profiles | |
|---|---|
| Short Title | Online Avatar Service Gravatar Allows Mass Collection of User Info by Web Crawlers and Bots |
| Location | Global |
| Date | October 2020 |
| Solove Harm | Insecurity, Interrogation |
| Information | Identifying, Location, Contact, Account |
| Threat Actors | Gravatar, A security researcher |
| Individuals | |
| Affected | Gravatar users |
| High Risk Groups | |
| Tangible Harms | |
A security researcher found out that Gravatar allows mass collection of user info through a hidden but relatively hidden technique of using profile ID numbers.
Description
Gravatar is an online avatar service that lets users set and use a profile picture (avatar) across multiple websites that support Gravatar.
In October 2020 it was found to be vulnerable to a user enumeration technique, that was discovered by a security researcher. The technique is to simply use a numeric ID associated with each profile to fetch data. A hidden API route in the service enables anyone to obtain the user's JSON data by simply using the profile "id" field.
By writing a simple test script that sequentially visits profile URLs from IDs 1 to 5000, the researcher was able to collect JSON data of the first 5000 Gravatar users with no issues.
certain user profiles had more public data than the others, for example, BitCoin wallet addresses, phone numbers, location, etc.
This is an example of Insecurity from the side of Gravatar, and the actions of the researcher can be seen as Interrogation.
Breakdown
Threat: Security researcher probing Gravatar for personal information about its users through a enumeration technique applied to URL
At-Risk group: Gravatar users
Harm: Interrogation
Secondary Consequences: not known
Threat: Gravatar not protecting users information from unauthorised access through an API route
At-Risk group: Gravatar users
Harm: Insecurity
Secondary Consequences: not known