Jump to content

Gravatar: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
m →‎Metadata: Spelling/case, etc. (alternative: "users'" (plural and possessive)).
m Reverted edit by 154.121.105.230 (talk) to last version by WikiCleanerBot
 
(34 intermediate revisions by 25 users not shown)
Line 1: Line 1:
{{Short description|Web service providing individuals with a "Globally Recognized Avatar"}}
{{Infobox website
{{Infobox website
| name = Gravatar
| name = Gravatar
| logo = Logo Gravatar.png
| logo = Logo Gravatar.png
| url = [https://gravatar.com/ gravatar.com]
| url = [https://gravatar.com/ gravatar.com]
| screenshot = Gravatar Homepage.jpg
| screenshot = Gravatar Homepage.jpg
| commercial = Yes
| commercial = Yes
| type = Avatar hosting
| type = Avatar hosting
| registration = Optional
| registration = Optional
| owner = [[Automattic]]
| owner = [[Automattic]]
| author = [[Tom Preston-Werner]]
| author = [[Tom Preston-Werner]]
| alexa = {{IncreaseNegative}} 7,605 ({{as of|2019|9|25|alt=September 2019}})<ref name="alexa">{{cite web|url= https://www.alexa.com/siteinfo/gravatar.com |title= Gravatar.com Site Info | publisher= [[Alexa Internet]] |accessdate= 2019-09-25 }}</ref><!--Updated monthly by OKBot.-->
}}
}}


'''Gravatar''' (a [[portmanteau]] of ''globally recognized avatar'') is a service for providing globally unique [[avatar (computing)|avatar]]s and was created by [[Tom Preston-Werner]]. Since 2007, it has been owned by [[Automattic]], having integrated it into their [[WordPress.com]] blogging platform.
'''Gravatar''' (a [[portmanteau]] of ''globally recognized avatar'') is a service for providing globally unique [[avatar (computing)|avatar]]s and was created by [[Tom Preston-Werner]]. Since 2007, it has been owned by [[Automattic]], having integrated it into their [[WordPress.com]] blogging platform.


== Designs ==
== Functionality ==


On Gravatar, users can register an account based on their email address, and upload a digital avatar to be associated with the account. Gravatar [[Plug-in (computing)|plugins]] are available for popular [[Weblog software|blogging software]]; when the user posts a comment on such a [[blog]] that requires an [[email address]], the blogging software checks whether that email address has an associated avatar at Gravatar. If so, the Gravatar is shown along with the comment. Gravatar support is provided natively in [[WordPress]] as of v2.5<ref>{{cite web|url=http://codex.wordpress.org/Using_Gravatars |title=Wordpress Codex&nbsp;— Using Gravatars |publisher=Codex.wordpress.org |date= |accessdate=2009-12-10}}</ref> and in web based [[project management]] application [[Redmine]] beginning with version 0.8.<ref>{{cite web|url=http://www.redmine.org/projects/redmine/wiki/Changelog_0_8#v080-RC1-2008-12-07 |title=Redmine v0.8.0 RC1 changelog |publisher=Redmine.org |accessdate=2014-01-06}}</ref> Support for Gravatar is also provided via third-party modules for web [[content management system]]s such as [[Drupal]] and [[MODX]].<ref>{{cite web|url=http://drupal.org/project/gravatar |title=Drupal Gravatar Integration |publisher=Drupal.org |date=2007-11-24 |accessdate=2009-12-10}}</ref><ref>{{cite web|url=http://modx.com/extras/package/Gravatar |title=MODx Gravatar Extension |publisher= MODx.com |date=2011-01-21 |accessdate=2016-01-05}}</ref>
On Gravatar, users can register an account based on their email address, and upload an image of their choice to be associated with that email address. Gravatar [[Plug-in (computing)|plugins]] are available for popular [[Weblog software|blogging software]]; when the user posts a comment on such a [[blog]] that requires an [[email address]], the blogging software checks whether that email address has an associated avatar at Gravatar. If so, the Gravatar is shown along with the comment. Gravatar support is provided natively in [[WordPress]] as of v2.5<ref>{{cite web|url=http://codex.wordpress.org/Using_Gravatars |title=Wordpress Codex&nbsp;— Using Gravatars |publisher=Codex.wordpress.org |date= |accessdate=2009-12-10}}</ref> and in web based [[project management]] application [[Redmine]] beginning with version 0.8.<ref>{{cite web|url=http://www.redmine.org/projects/redmine/wiki/Changelog_0_8#v080-RC1-2008-12-07 |title=Redmine v0.8.0 RC1 changelog |publisher=Redmine.org |accessdate=2014-01-06}}</ref> Support for Gravatar is also provided via third-party modules for web [[content management system]]s such as [[Drupal]] and [[MODX]].<ref>{{cite web|url=http://drupal.org/project/gravatar |title=Drupal Gravatar Integration |publisher=Drupal.org |date=2007-11-24 |accessdate=2009-12-10}}</ref><ref>{{cite web|url=http://modx.com/extras/package/Gravatar |title=MODx Gravatar Extension |publisher= MODx.com |date=2011-01-21 |accessdate=2016-01-05}}</ref>

A user's profile data is available in a number of [[metadata]] standards, including [[hCard]], [[JSON]], [[XML]], [[PHP]], and [[vCard]] as well as via [[QR code]]s. The raw data formats (JSON, XML, and PHP) use the [[Portable Contacts]] standard.<ref name="OpenProfile">{{cite web |title=Open Profile Data |url=http://blog.gravatar.com/2011/07/12/open-profile-data/ |accessdate=27 September 2011 |work=Gravatar Blog |publisher=Gravatar}}</ref>


A Gravatar image can be up to 2048 [[pixel]]s wide, is always square and is displayed at 80 by 80 pixels by default.<ref>{{cite web|url=http://en.gravatar.com/site/implement/url |title=Gravatar&nbsp;— How the URL is constructed |publisher=en.gravatar.com |date= |accessdate=2009-12-10}}</ref> If the uploaded avatar is larger or smaller, the avatar is scaled appropriately. Each Gravatar is rated with an [[Motion Picture Association of America|MPAA]]-style age recommendation, allowing [[webmaster]]s to control the content of the Gravatars displayed on their [[website]].
A Gravatar image can be up to 2048 [[pixel]]s wide, is always square and is displayed at 80 by 80 pixels by default.<ref>{{cite web|url=http://en.gravatar.com/site/implement/url |title=Gravatar&nbsp;— How the URL is constructed |publisher=en.gravatar.com |date= |accessdate=2009-12-10}}</ref> If the uploaded avatar is larger or smaller, the avatar is scaled appropriately. Each Gravatar is rated with an [[Motion Picture Association of America|MPAA]]-style age recommendation, allowing [[webmaster]]s to control the content of the Gravatars displayed on their [[website]].


Webmasters can also configure their system to automatically display an [[Identicon]] when a user has no registered Gravatar.
[[Webmaster|Webmasters]] can also configure their system to automatically display an [[Identicon]] when a user has no registered Gravatar.


== History ==
Gravatars are loaded from the Gravatar [[web server]], using a [[URL]] containing an [[MD5]] [[hash function|hash]] of the associated email address. This method has, however, been shown to be vulnerable to [[dictionary attack]]s (in one real-life example over 10% of the email addresses of a set of forum users could be determined from the Gravatar URLs combined with the forum user names) and [[rainbow table]] approaches.<ref>[http://www.developer.it/post/gravatars-why-publishing-your-email-s-hash-is-not-a-good-idea Gravatars: why publishing your email's hash is not a good idea] Developer IT, December 8, 2009</ref>


For some time, the Gravatar service remained unmaintained. The maker became busy with working on a new version of the service, as Gravatar's popularity grew and more [[bandwidth (computing)|bandwidth]] was required. On 16 February 2007,<ref>{{cite web|url=http://blog.gravatar.com/2007/02/16/welcome-to-gravatar-2-0/ |title=Welcome to Gravatar 2.0!|publisher=blog.gravatar.com |date=2007-02-16 |accessdate=2011-07-01}}</ref> "Gravatar 2.0" was launched. Besides an improved server script, users also noticed other improvements, such as being able to crop and use an image already hosted on the [[World Wide Web|web]]. Support for two gravatars per account was added, between which the user can easily switch. "Gravatar Premium" was also launched, allowing unlimited email addresses and Gravatars per account.
== Metadata ==


A user's profile data is available in a number of metadata standards, including [[hCard]], [[JSON]], [[XML]], [[PHP]], and [[vCard]] as well as via [[QR code]]s. The raw data formats (JSON, XML, and PHP) use the [[Portable Contacts]] standard.<ref name="OpenProfile">{{cite web|url=http://blog.gravatar.com/2011/07/12/open-profile-data/|title=Open Profile Data|work=Gravatar Blog|publisher=Gravatar|accessdate=27 September 2011}}</ref>
On 11 June 2007, [[Tom Preston-Werner]] announced that 32,000 new users had signed up since the launch of Gravatar 2.0.<ref>{{cite web|url=http://blog.gravatar.com/2007/06/11/updated-croppr-stats/ |title=Gravatar Blog&nbsp;— Updated Croppr & Stats |publisher=blog.gravatar.com |date=2007-06-11 |accessdate=2009-12-10}}</ref>


On 18 October 2007, [[Automattic]] acquired Gravatar.<ref>{{cite news|url=https://techcrunch.com/2007/10/17/automattic-acquires-gravatar/ |title=Automattic Acquires Gravatar |publisher=TechCrunch |date= 2007-10-17|accessdate=2010-08-03 | first=Duncan | last=Riley}}</ref> After doing so, they offered all previously paid services at no cost, improved server response time,{{better source needed|date=May 2013}} and refunded those who had recently paid for service.<ref>{{cite web|url=http://blog.gravatar.com/2007/10/18/automattic-gravatar/ |title=Gravatar Blog&nbsp;— Automattic Acquires Gravatar |publisher=blog.gravatar.com |date=2007-10-18 |accessdate=2009-12-10}}</ref>
== History ==


[[Matt Mullenweg]] announced on ''The Big Web Show'' on 2 December 2010 that Gravatar was serving approximately 20 billion images per day.<ref>{{cite web | url = http://5by5.tv/bigwebshow/29 | title = The Big Web Show #29: Matt Mullenweg on 5by5 (41m40s) | accessdate = 2010-12-12 | date = 2010-12-02 | format = MP3 audio, MP4 video | publisher = 5by5 Studios}}</ref>
For some time, the Gravatar service remained unmaintained. The maker became busy with working on a new version of the service, as Gravatar's popularity grew and more [[bandwidth (computing)|bandwidth]] was required. On 16 February 2007,<ref>{{cite web|url=http://blog.gravatar.com/2007/02/16/welcome-to-gravatar-2-0/ |title=Welcome to Gravatar 2.0!|publisher=blog.gravatar.com |date=2007-02-16 |accessdate=2011-07-01}}</ref> "Gravatar 2.0" was launched. Besides an improved server script, users also noticed other improvements, such as being able to crop and use an image already hosted on the [[Internet]]. Support for two gravatars per account was added, between which the user can easily switch. "Gravatar Premium" was also launched, allowing unlimited email addresses and Gravatars per account.


== Security concerns and data breaches ==
On 11 June 2007, [[Tom Preston-Werner]] announced that 32,000 new users had signed up since the launch of Gravatar 2.0.<ref>{{cite web|url=http://blog.gravatar.com/2007/06/11/updated-croppr-stats/ |title=Gravatar Blog&nbsp;— Updated Croppr & Stats |publisher=blog.gravatar.com |date=2007-06-11 |accessdate=2009-12-10}}</ref>


Gravatars are loaded from the Gravatar [[web server]], using a [[URL]] containing an [[MD5]] [[hash function|hash]] of the associated email address. This method has, however, been shown to be vulnerable to [[dictionary attack]]s and [[rainbow table]] approaches.
On 18 October 2007, [[Automattic]] acquired Gravatar.<ref>{{cite news|url=https://techcrunch.com/2007/10/17/automattic-acquires-gravatar/ |title=Automattic Acquires Gravatar |publisher=TechCrunch |date= 2007-10-17|accessdate=2010-08-03 | first=Duncan | last=Riley}}</ref> After doing so, they offered all previously paid services at no cost, improved server response time,{{better source|date=May 2013}} and refunded those who had recently paid for service.<ref>{{cite web|url=http://blog.gravatar.com/2007/10/18/automattic-gravatar/ |title=Gravatar Blog&nbsp;— Automattic Acquires Gravatar |publisher=blog.gravatar.com |date=2007-10-18 |accessdate=2009-12-10}}</ref>


In 2009, it was demonstrated that over 10% of the email addresses of a set of forum users could be determined from the Gravatar URLs combined with the forum user names.<ref>[http://www.developer.it/post/gravatars-why-publishing-your-email-s-hash-is-not-a-good-idea Gravatars: why publishing your email's hash is not a good idea] Developer IT, December 8, 2009</ref>
[[Matt Mullenweg]] announced on ''The Big Web Show'' on 2 December 2010 that Gravatar was serving approximately 20 billion images per day.<ref>{{cite web | url = http://5by5.tv/bigwebshow/29 | title = The Big Web Show #29: Matt Mullenweg on 5by5 (41m40s) | accessdate = 2010-12-12 | date = 2010-12-02 | format = MP3 audio, MP4 video | publisher = [[5by5 Studios]]}}</ref>

Subsequently, in 2013, security researcher Dominique Bongard presented that he was able to determine 45% of the email addresses used to post comments on a well-known French political forum by using Gravatar URLs and the open source [[Hashcat|Hashcat password cracking tool]].<ref>{{cite news |last1=Goodin |first1=Dan |title=Got an account on a site like Github? Hackers may know your e-mail address |url=https://arstechnica.com/information-technology/2013/07/got-an-account-on-a-site-like-github-hackers-may-know-your-e-mail-address/ |access-date=1 October 2021 |work=Ars Technica |date=31 July 2013 |ref=hackers-may-know-your-e-mail-address}}</ref>

Given that [[Hashcat]] uses [[graphics processing units]] to achieve high-efficiencies at cracking hashes, it has been proposed that as GPU technology and performance continues to improve, that Gravatar hashes will only become easier to crack over time as a result.<ref>{{cite web |last1=Maunder |first1=Mark |title=Gravatar Advisory: How to Protect Your Email Address and Identity |url=https://www.wordfence.com/blog/2016/12/gravatar-advisory-protect-email-address-identity/ |website=Wordfence |access-date=1 October 2021 |ref=gravatar-advisory-how-to-protect-your-email}}</ref> This is in addition to the fact that the MD5 hashing algorithm itself is severely compromised and unfit for [[Cryptography|cryptographic]] applications; the [[CMU Software Engineering Institute]] has recommended against its use in any capacity since the end of 2008.<ref>{{cite web|url=http://www.kb.cert.org/vuls/id/836068 |title=CERT Vulnerability Note VU#836068 |publisher=Kb.cert.org |access-date=1 October 2021 |ref=md5-vulnerable-to-collision-attacks}}</ref>

In October 2020, a technique for scraping large volumes of data from Gravatar was exposed by Carlo di Dato, a security researcher, after being ignored by Gravatar when he raised his concerns with them. 167 million names, usernames and MD5 hashes of email addresses used to reference users' avatars were subsequently scraped and distributed within the hacking community. 114 million of the MD5 hashes were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data, with email account holders able to check whether their addresses have been leaked using [[Have I Been Pwned?|Have I Been Pwned]].<ref name="bleeping">{{Cite web |url=https://www.bleepingcomputer.com/news/security/online-avatar-service-gravatar-allows-mass-collection-of-user-info/ |title=Online avatar service Gravatar allows mass collection of user info |date=3 October 2020 |publisher=Bleeping Computer |archivedate=6 December 2021 |archiveurl=https://web.archive.org/web/20211206004028/https://www.bleepingcomputer.com/news/security/online-avatar-service-gravatar-allows-mass-collection-of-user-info/}}</ref><ref name="itsecuritynews">{{Cite web|url=https://www.itsecuritynews.info/gravatar-113990759-breached-accounts/ |title=Gravatar - 113,990,759 breached accounts |publisher=IT Security News |date=6 December 2021 |archivedate=6 December 2021 |archiveurl=https://web.archive.org/web/20211206013859/https://www.itsecuritynews.info/gravatar-113990759-breached-accounts/}}</ref>


== References ==
== References ==
Line 47: Line 55:


{{Automattic Inc.}}
{{Automattic Inc.}}

[[Category:Virtual avatars]]
[[Category:Virtual avatars]]
[[Category:Automattic]]
[[Category:Automattic]]
[[Category:WordPress]]


[[de:Avatar (Internet)#Gravatar]]
[[de:Avatar (Internet)#Gravatar]]

Latest revision as of 08:57, 9 July 2024

Gravatar
Type of site
Avatar hosting
OwnerAutomattic
Created byTom Preston-Werner
URLgravatar.com
CommercialYes
RegistrationOptional

Gravatar (a portmanteau of globally recognized avatar) is a service for providing globally unique avatars and was created by Tom Preston-Werner. Since 2007, it has been owned by Automattic, having integrated it into their WordPress.com blogging platform.

Functionality

[edit]

On Gravatar, users can register an account based on their email address, and upload an image of their choice to be associated with that email address. Gravatar plugins are available for popular blogging software; when the user posts a comment on such a blog that requires an email address, the blogging software checks whether that email address has an associated avatar at Gravatar. If so, the Gravatar is shown along with the comment. Gravatar support is provided natively in WordPress as of v2.5[1] and in web based project management application Redmine beginning with version 0.8.[2] Support for Gravatar is also provided via third-party modules for web content management systems such as Drupal and MODX.[3][4]

A user's profile data is available in a number of metadata standards, including hCard, JSON, XML, PHP, and vCard as well as via QR codes. The raw data formats (JSON, XML, and PHP) use the Portable Contacts standard.[5]

A Gravatar image can be up to 2048 pixels wide, is always square and is displayed at 80 by 80 pixels by default.[6] If the uploaded avatar is larger or smaller, the avatar is scaled appropriately. Each Gravatar is rated with an MPAA-style age recommendation, allowing webmasters to control the content of the Gravatars displayed on their website.

Webmasters can also configure their system to automatically display an Identicon when a user has no registered Gravatar.

History

[edit]

For some time, the Gravatar service remained unmaintained. The maker became busy with working on a new version of the service, as Gravatar's popularity grew and more bandwidth was required. On 16 February 2007,[7] "Gravatar 2.0" was launched. Besides an improved server script, users also noticed other improvements, such as being able to crop and use an image already hosted on the web. Support for two gravatars per account was added, between which the user can easily switch. "Gravatar Premium" was also launched, allowing unlimited email addresses and Gravatars per account.

On 11 June 2007, Tom Preston-Werner announced that 32,000 new users had signed up since the launch of Gravatar 2.0.[8]

On 18 October 2007, Automattic acquired Gravatar.[9] After doing so, they offered all previously paid services at no cost, improved server response time,[better source needed] and refunded those who had recently paid for service.[10]

Matt Mullenweg announced on The Big Web Show on 2 December 2010 that Gravatar was serving approximately 20 billion images per day.[11]

Security concerns and data breaches

[edit]

Gravatars are loaded from the Gravatar web server, using a URL containing an MD5 hash of the associated email address. This method has, however, been shown to be vulnerable to dictionary attacks and rainbow table approaches.

In 2009, it was demonstrated that over 10% of the email addresses of a set of forum users could be determined from the Gravatar URLs combined with the forum user names.[12]

Subsequently, in 2013, security researcher Dominique Bongard presented that he was able to determine 45% of the email addresses used to post comments on a well-known French political forum by using Gravatar URLs and the open source Hashcat password cracking tool.[13]

Given that Hashcat uses graphics processing units to achieve high-efficiencies at cracking hashes, it has been proposed that as GPU technology and performance continues to improve, that Gravatar hashes will only become easier to crack over time as a result.[14] This is in addition to the fact that the MD5 hashing algorithm itself is severely compromised and unfit for cryptographic applications; the CMU Software Engineering Institute has recommended against its use in any capacity since the end of 2008.[15]

In October 2020, a technique for scraping large volumes of data from Gravatar was exposed by Carlo di Dato, a security researcher, after being ignored by Gravatar when he raised his concerns with them. 167 million names, usernames and MD5 hashes of email addresses used to reference users' avatars were subsequently scraped and distributed within the hacking community. 114 million of the MD5 hashes were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data, with email account holders able to check whether their addresses have been leaked using Have I Been Pwned.[16][17]

References

[edit]
  1. ^ "Wordpress Codex — Using Gravatars". Codex.wordpress.org. Retrieved 2009-12-10.
  2. ^ "Redmine v0.8.0 RC1 changelog". Redmine.org. Retrieved 2014-01-06.
  3. ^ "Drupal Gravatar Integration". Drupal.org. 2007-11-24. Retrieved 2009-12-10.
  4. ^ "MODx Gravatar Extension". MODx.com. 2011-01-21. Retrieved 2016-01-05.
  5. ^ "Open Profile Data". Gravatar Blog. Gravatar. Retrieved 27 September 2011.
  6. ^ "Gravatar — How the URL is constructed". en.gravatar.com. Retrieved 2009-12-10.
  7. ^ "Welcome to Gravatar 2.0!". blog.gravatar.com. 2007-02-16. Retrieved 2011-07-01.
  8. ^ "Gravatar Blog — Updated Croppr & Stats". blog.gravatar.com. 2007-06-11. Retrieved 2009-12-10.
  9. ^ Riley, Duncan (2007-10-17). "Automattic Acquires Gravatar". TechCrunch. Retrieved 2010-08-03.
  10. ^ "Gravatar Blog — Automattic Acquires Gravatar". blog.gravatar.com. 2007-10-18. Retrieved 2009-12-10.
  11. ^ "The Big Web Show #29: Matt Mullenweg on 5by5 (41m40s)" (MP3 audio, MP4 video). 5by5 Studios. 2010-12-02. Retrieved 2010-12-12.
  12. ^ Gravatars: why publishing your email's hash is not a good idea Developer IT, December 8, 2009
  13. ^ Goodin, Dan (31 July 2013). "Got an account on a site like Github? Hackers may know your e-mail address". Ars Technica. Retrieved 1 October 2021.
  14. ^ Maunder, Mark. "Gravatar Advisory: How to Protect Your Email Address and Identity". Wordfence. Retrieved 1 October 2021.
  15. ^ "CERT Vulnerability Note VU#836068". Kb.cert.org. Retrieved 1 October 2021.
  16. ^ "Online avatar service Gravatar allows mass collection of user info". Bleeping Computer. 3 October 2020. Archived from the original on 6 December 2021.
  17. ^ "Gravatar - 113,990,759 breached accounts". IT Security News. 6 December 2021. Archived from the original on 6 December 2021.
[edit]