Gravatar make it is too easy to impersonate a commenter on wordpress blog

Gravatar is a service which is used to provide a globally recognizable avatar to people that sign for the service. It is used by default in the comments section of a wordpress site when the site is configured to show the comment author’s avatar next to his comment, which is the default configuration in wordpress.

Gravatar associates an email address with an image. There is a simple algorithm that converts the email address to a  url at and if you use the url as the “src” attribute of HTML IMG tag the image is displayed.

This simple functionality is great for wordpress since an email address is almost always required in order to post a comment, and many other services which require an email address on registration.

The problem is that there is no verification that the email address actually belongs to the commentor. If I know the email of someone that I hate (lets call  him X) I can go and use it on some controversial site (porn, extreme political views, etc), leaving a sympathetic comments and then direct people that we both know to surf to that site and learn about the true nature of X. This way X’s reputation might be destroyed without him even knowing about at and all that just because his picture automatically appears next to a comment identified by his email address.

But, doesn’t email addresses are semi public information, and always been like that? You could always use someone else email address to impersonate him so what is new?
The difference is that usually email addresses were not displayed because of spam avoidance measures, but the use of gravatar  while not directly exposing the address itself does expose its owner.

In my  opinion gravatars should not be displayed if there was no authentication that its owner actually knows/aware it will appear on your site. For example gravatar is being used in StackExchange, but the email address is not freely submitted but rather retrieved from service which provide strong identification like google, facebook and twitter. You can probably still impersonate someone if he doesn’t have a registered user at one of those services but it is harder to do unnoticed.


Update: I opened a ticket to by default show pictures from gravatar only for registered user in wordpress.


Update 2: Since the ticket did not get any traction, I create a plugin that at least will prevent the impersonation of registered users in the comment of a specific site,

Leave a Reply

Your email address will not be published. Required fields are marked *