Gravatar, how to collect all data with a url
The discovery is by the Italian researcher Carlo Di Dato, from whose demonstration it becomes clear how vulnerability is indeed important and of great impact for a service of the caliber of Gravatar.
Gravatar: anyone can extrapolate data in bulk
Access to individual accounts can take place via two different URLs, such that it is sufficient to know either the username or the MD5 encrypted parameter (relating to the e-mail) in order to enter the single public reference. However, Di Dato has discovered that the code also clarifies a progressive number linked to each individual account: this could allow anyone, simply by inserting an increasing variable to explore the database in successive attempts and to be able to massively export the information stored on the Gravatar servers. .So Di Dato explains the potential impact of this vulnerability:
I was amazed to find that Gravatar did not use any protection and that it simply let me access user data. Now, the fact that this data is public could be misleading and suggest that it is not a real problem. In reality this is not the case. For a user who wants to collect data and then proceed with any type of social engineering attack, the ability to download the data of millions of users in json format (there are approximately 194,000,000 users) represents a gold mine. I'll give you an example: even without knowing the user and / or email address, I was able to view the following data of a certain Mr. Stephan:
# 1 - the place where he lives
# 2 - his facebook, twitter and flickr users
# 3 - his bitcoin wallet
In several cases, users had profiles similar to the fake one created by me (with numbers mobile, landline, addresses, etc ...). This is why the problem found poses a serious threat to users of the Gravatar service: they offer the opportunity to download user data simply by enumerating an integer type id.
The problem is therefore simply inherent in this number progressive since an attacker could easily use it for purposes completely unrelated to the functioning of the service.
Carlo Di Dato's proof-of-concept
Carlo Di Dato explains that he tried to report the problem to Gravatar for about a year, without however receiving the due attention: hence the choice to make their discovery public, so that users can at least be aware of what they are experiencing and of the fact that, by uploading details on their profile, they do not they enrich an identity that anyone could make their own with a simple automatic scraping.
Code in the files extracted from Gravatar: we got this information trying directly the procedure discovered by the researcher Carlo Di Dato
“If you look at the JSON file, you will find a lot of interesting information. The danger of this type of problem lies in the fact that an attacker can download a large amount of data and carry out a social engineering attack against users “. In practice: by collecting information from users, targeted attacks can be created that simulate e-mails so refined that they can push users to reveal other data, passwords or sensitive information. This could therefore become the basis for a series of high monetization scams, therefore potentially very interesting for the underworld.
Source: Bleeping Computer
