Gravatar

Gravatar (a portmanteau of globally recognized avatar) is a service for providing globally unique avatars and was created by Tom Preston-Werner. Since 2007, it has been owned by Automattic, having integrated it into their WordPress.com blogging platform.

Functionality
On Gravatar, users can register an account based on their email address, and upload an image of their choice to be associated with that email address. Gravatar plugins are available for popular blogging software; when the user posts a comment on such a blog that requires an email address, the blogging software checks whether that email address has an associated avatar at Gravatar. If so, the Gravatar is shown along with the comment. Gravatar support is provided natively in WordPress as of v2.5 and in web based project management application Redmine beginning with version 0.8. Support for Gravatar is also provided via third-party modules for web content management systems such as Drupal and MODX.

A user's profile data is available in a number of metadata standards, including hCard, JSON, XML, PHP, and vCard as well as via QR codes. The raw data formats (JSON, XML, and PHP) use the Portable Contacts standard.

A Gravatar image can be up to 2048 pixels wide, is always square and is displayed at 80 by 80 pixels by default. If the uploaded avatar is larger or smaller, the avatar is scaled appropriately. Each Gravatar is rated with an MPAA-style age recommendation, allowing webmasters to control the content of the Gravatars displayed on their website.

Webmasters can also configure their system to automatically display an Identicon when a user has no registered Gravatar.

History
For some time, the Gravatar service remained unmaintained. The maker became busy with working on a new version of the service, as Gravatar's popularity grew and more bandwidth was required. On 16 February 2007, "Gravatar 2.0" was launched. Besides an improved server script, users also noticed other improvements, such as being able to crop and use an image already hosted on the web. Support for two gravatars per account was added, between which the user can easily switch. "Gravatar Premium" was also launched, allowing unlimited email addresses and Gravatars per account.

On 11 June 2007, Tom Preston-Werner announced that 32,000 new users had signed up since the launch of Gravatar 2.0.

On 18 October 2007, Automattic acquired Gravatar. After doing so, they offered all previously paid services at no cost, improved server response time, and refunded those who had recently paid for service.

Matt Mullenweg announced on The Big Web Show on 2 December 2010 that Gravatar was serving approximately 20 billion images per day.

Security concerns and data breaches
Gravatars are loaded from the Gravatar web server, using a URL containing an MD5 hash of the associated email address. This method has, however, been shown to be vulnerable to dictionary attacks and rainbow table approaches.

In 2009, it was demonstrated that over 10% of the email addresses of a set of forum users could be determined from the Gravatar URLs combined with the forum user names.

Subsequently, in 2013, security researcher Dominique Bongard presented that he was able to determine 45% of the email addresses used to post comments on a well-known French political forum by using Gravatar URLs and the open source Hashcat password cracking tool.

Given that Hashcat uses graphics processing units to achieve high-efficiencies at cracking hashes, it has been proposed that as GPU technology and performance continues to improve, that Gravatar hashes will only become easier to crack over time as a result. This is in addition to the fact that the MD5 hashing algorithm itself is severely compromised and unfit for cryptographic applications; the CMU Software Engineering Institute has recommended against its use in any capacity since the end of 2008.

In October 2020, a technique for scraping large volumes of data from Gravatar was exposed by Carlo di Dato, a security researcher, after being ignored by Gravatar when he raised his concerns with them. 167 million names, usernames and MD5 hashes of email addresses used to reference users' avatars were subsequently scraped and distributed within the hacking community. 114 million of the MD5 hashes were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data, with email account holders able to check whether their addresses have been leaked using Have I Been Pwned.