Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Online Avatar Service Gravatar Allows Mass Collection Of User Info

Online Avatar Service Gravatar Allows Mass Collection Of User Info

A user enumeration technique discovered by security researcher Carlo Di Dato demonstrates how Gravatar can be abused for mass data collection of its profiles by web crawlers and bots.

Gravatar is an online avatar service that lets users set and use a profile picture (avatar) across multiple websites that support Gravatar.

The most recognizable use cases of Gravatar are perhaps WordPress websites integrated with the service and GitHub.

While data provided by Gravatar users on their profiles is already public, the easy user enumeration aspect of the service with virtually no rate limiting raises concerns with regards to the mass collection of user data.

How to access a Gravatar profile (officially)

In our demonstration of this bug, we will use the profile “beau” that is mentioned in Gravatar’s docs. This profile belongs to Beau Lebens, Head of Product Engineering for WooCommerce at Automattic.

According to Gravatar’s official documentation, the URL structure of a Gravatar profile consists of either a username or an MD5 hash of the email address associated with that profile.

This means a profile with a username “beau” can be accessed at or by navigating to which will ultimately redirect a visitor to the user’s public Gravatar page.

This is no problem: in either of these cases, Beau’s Gravatar username or MD5 parameters could not be easily predicted by a visitor and had to be known beforehand.

However, an additional method of accessing user data not disclosed in the docs includes simply using a numeric ID associated with each profile to fetch data.

Hidden URL route enables user enumeration 

Italian security researcher Carlo Di Dato on discovering this possibility reached out to BleepingComputer this week after failing to get concrete action from Gravatar.

As can be observed in Beau’s example profile above, clicking on the “JSON” link on the page, leads to returning JSON representation of profile data.

gravatar sample json
JSON data returned for the Gravatar profile of user, “beau”
Source: BleepingComputer

The field “id” in the JSON blob immediately caught Di Dato’s attention.

A hidden API route in the service enables anyone to obtain the user’s JSON data by simply using the profile “id” field.

“I spotted an interesting field named ‘id’ (it’s an integer value). The next step was to test if my profile was accessible using the ‘id’,” the researcher told BleepingComputer.

“So I browsed to and it worked. Now that I know I can access [the user’s JSON data] using an integer value, the next logical step was to check if I can perform a user enumeration,” he continued.

By writing a simple test script that sequentially visits profile URLs from IDs 1 to 5000 (as shown below), Di Dato was able to collect JSON data of the first 5000 Gravatar users with no issues.

Also Read: 7 Simple Tips On How To Create A Good Business Card Data

“If you take a look at the JSON file, you will find a lot of interesting information. The danger of this kind of issue is that a malicious user could download a huge amount of data and perform any kind of social engineering attack against legit users,” said Di Dato.

In our tests, BleepingComputer could confirm certain user profiles had more public data than the others, for example, BitCoin wallet addresses, phone numbers, location, etc.

The users who create public profiles on Gravatar consent to making this data publicly available, so this is not a data leak or a privacy issue in that regard.

“Of course, Mr. Stephen knows that registering on Gravatar, his data will be publicly accessible. What I’m almost sure he doesn’t know, is that I was able to retrieve this data querying Gravatar in a way which should not be possible,” stated Di Dato.

He continued, “As Gravatar states in its guides, I should have Mr. Stephen’s email address or his Gravatar user name to perform the query. Without this information, it should have been almost impossible for me to get Mr. Stephen’s data, right?” 

Sensitive data gravatar
Gravatar profiles with extensive information

An issue like this becomes problematic because any web crawler or bot can now sequentially query virtually the entire Gravatar database, and harvest public user data very easily thanks to this little known but effective technique.

In the past, criminals have scraped Facebook profile data in bulk using its APIs and sold the dumps on the dark web for profit.

BleepingComputer emailed Gravatar for comment but we have not yet received a response from them.

Also Read: How To Send Mass Email Without Showing Addresses: 2 Great Workarounds



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us