If you are new here, please read my about page6S55AQWTRHC
Notice that picture next to someone’s comment on a blog post? It’s called a Gravatar. It’s insanely easy to use and simple to set up. Gravatars are great because they display a photo or logo on any comment that you leave on a wordpress blog. You can change the picture whenever you like, and it allows you to have an identifiable image without having to login or upload an image. It’s this convenience that allows your Internet Identity to be hijacked, impersonated, or stolen.
The image is identified by the email address put into the comment field when a comment is left. If someone knows your email address they can create “pirate” comments on any blog anywhere, anytime. This colossal vulnerability leaves open a staggering amount of daunting possibilities.
Someone can post hateful or inflammatory comments that look like they came from you. That’s right. Hateful, vile, and insidious comments next to your picture or logo, linked right to your blog. There are hundreds of millions of blogs. They can be left anywhere, anytime. The potential damage is scary. Right now, those of you with a blog, or a personal brand online reading this right now know exactly what I’m talking about. It would be impossible to track every fake comment or even know of their existence. You might find out only when you receive an angry email from someone about a comment “you left” on their blog. You might never find out, and you might never know. There could be someone out there who hates you because of things said by the impersonator that look like they came from you. The reason this is so concerning is that it is super easy to hijack someone’s identity, yet incredibly difficult (or near impossible) to fix or clean up.
The Issue of Fake Praise
The hijacking of a personal brand isn’t just limited to negative comments with ill intent. Comments can be impersonated on a blog that are of a positive nature so it looks like that blogger is getting praise from someone well established. Imagine this.
Someone makes a post. They use Tim Ferriss’ image to make a fake Gravatar account. They then leave a comment of praise, kudos, or support in favor of the blog post of blogger. It takes about 30 seconds to make a Gravatar account. The only thing you need is an email address. In the cases with fake praise, you don’t even need to know the blogger’s actual email address. The picture next to the comment is the only thing that is seen. It now looks like Tim Ferriss (or whomever) is a reader or patron of the blog when in fact they are not. There is no way to tell the difference. This vulnerability also has limitless possibilities for fraud. It doesn’t have to be an established blogger. It can be anyone famous or recognizable. Heidi Klum, Brad Pitt, George Bush, Lebron James, Nelson Mandela. It’s easy to find pictures on the internet of famous and well known people in order to make a fake Gravatar account. This makes it incredibly easy to fake validation and fake praise.
The “Savior” That is Disqus
There are some services like Disqus gaining popularity that need a password to login in order to a leave a comment. This adds another layer of “protection” from this comment fraud, but does not stop fake comments in their entirety. Someone can make a similar email address and use the exact avatar image in order to make a fake Disqus account. Then they are free to leave fake and impersonated comments as they please.
Future Gravatar Upgrades Compound Problem
Darnell Clayton of BloggingPro recently Wrote This:
WordPress Upgrades Gravatar Profiles (Adds Verification) In it he quotes Beau Lebens’ post
“What if your Gravatar wasn’t just an image that showed up when you comment, but you could attach more of yourself to it to better represent your style, flair, and personality not just with more photos but with links to all the cool stuff you’re doing around the web. [...]
You’ll find some cool features on the new profiles: you can have a gallery of your favorite photos, add a variety of contact methods, and link your other profiles. Every linked account is verified so you know it’s not an impostor, and we also might be able to do cool stuff in the future like aggregate your content or update your avatar in multiple places when you update Gravatar.”
Every linked account is verified through email. The problem is that you don’t know if it’s an impostor or not. Because of the way Gravatar is set up, there is no way to tell who actually used the person’s account. I love the ease and convenience of the Gravatar experience. And while I’m excited by the future evolution in the Gravatar realm, I am deeply concerned by it’s vulnerabilities.
Holy Crap! What Can Be Done?!!!
As it stands right now, not much. There are no barriers to entry. Someone can easily make an impersonated Gravatar, Disqus, etc. account with little to no effort. Add some computer skills with the use of a bot and the damage is multiplied infinitely. There are hundreds of millions of blogs and billions of posts or pages where a fake comment can hide. If you have a blog, please be aware of this. If someone emails you about an impersonated comment please take it down sooner than later. You would want the same respect if this happened to you. If a comment is hateful, contact the person and ask them about it. Don’t jump to conclusions and respond with spite. If it’s from someone you know, and it seems completely out of sync with their personality and views, then also let them know. This isn’t just for your own blog. If you see something out of place in a comment say something. Alert the blog, AND the person who supposedly left that comment. We all have to look out for each other.
What can Gravatar do? Gravatar needs to show all comments ever left by a specific email address (your account) when you sign into your Gravatar account. Gravatar is based on HTTP GET requests. They can aggregate these requests to show which websites have requested the gravatar image for a comment. They should make it an easily searchable interface based on different restraints like date, domain, etc. They have the technology and ability to do this. Whether they choose to do so is something else. Gravatar could also enable a feature where you could control what websites your Gravatar was used on. This could be as strict or lax as you like. You could choose for it to be as lax as it is now to as strict as having a safelist of sites you regularly comment on. You could block the Gravatar from being used elsewhere. This would be a huge check and balance for hostile comments coming from a hijacked account. However, it wouldn’t do anything for problems stemming from fake accounts. (Hostile or fake praise).
I almost didn’t write this post because I didn’t want to give the “bad guys” ideas. I would hate for this post to spark an “impersonation spree”. The internet is still in its infancy and in a Wild Wild West stage. While this hasn’t been a problem yet, I think it’s important to call attention to this subject before it becomes one. This vulnerability has the potential to cause a systematic breakdown of confidence in the system. Speaking with some of my friends online, they were also incredibly concerned with this vulnerability. While I was hesitant to write this at first, they convinced me that more good would come from exposing this vulnerability than bad. I hope this post calls attention to this weakness and fosters some solid discussion and ideas for solutions.
Twitter Updates
Smart article, Mark. I’m curious to see what kind of validation can be done to verify account holders a bit more.
When the internet first became popular, it seemed that almost everything allowed anonymity. The result was often a juvenile vomiting of the most vile garbage you could imagine. Once people started requiring names and photos, things began to mature. I wonder how it will be when people have to validate their true identity.
I also wonder what that will do to bloggers who choose to use pseudonyms. You can’t very well validate a name you know is fake to begin with.
There are so many issues with all of this and I wonder how it will turn out.
Hell, for all I know, you could have logged in as me and written this. Wait, I didn’t leave this comment! What the hell!!!
I agree David. There needs to be more validation that can be done to verify account holders. This might not be enough, as it may be necessary for Gravatar to take their own steps at making the whole process more secure. As the internet matures from its wild west stages of infancy, comment security will have to unfold.
You make an interesting point about bloggers who use pseudonyms. I am not sure how that would potentially work. It would be interesting to hear from someone about how it would work to still remain anonymous with a pseudonym while still having secure validation.
The staggering amount of issues regarding the ease in slandering someone online is truly scary. The need to protect one’s online brand and identity is extremely important. These vulnerabilities need to be dealt with.
I have thought about this and wondered about it – and esp. on the last part about why you wrote this. Yes it’s very true, so much at stake and we are only at the mercy of our readership and community to trust us and write it off as a hoax if it happens. A good friend of mine had his Twitter hacked and I received a very crass message from him. I was shocked – at the time I did not now him that well enough to be sure it’s not him.
Here’s hoping we have more goodness going around the internet, however naive that may sound…..
Farnoosh, I agree there is so much at stake here, and it’s just too easy to destroy the trust. I hope that it doesn’t take a huge hoax to cause action to be taken and measures to prevent another in the future. Too often it takes some large damaging event, or a string of damaging events before action is forced and steps are taken. While there’s so much goodness going around on the internet, it only takes one to poison the well.
Mark,
On websites where Disqus is enabled, I have to login to leave the message (with a password). Is there a way to make Gravatar require that level of security on every comment? I doubt it from your voice here in this article but wanted to make absolutely sure in case I missed it (even after re-reading). Thank you much!
Farnoosh, the problem with Disqus is that someone can make a fake account with a fake email address and use your same image. When they leave comments with your identical Gravatar, there is no way to discern the difference between the comments made by you when you sign into Disqus and the fake comments made by the person using an account with your identical (and public Gravatar). The person with the fake account can even use your same name “Farnoosh”. Disqus is a great idea, but even it is not enough.
As of right now, Gravatar doesn’t require a level of security on every comment besides knowing that person’s email address. Since this is the way most of us stay in contact with people it is easy to obtain. Even if you used a separate email address only for commenting, every time you leave a comment on a blog, that person now has your email address. The same problem of fake accounts with Disqus also applies with standard Gravatar accounts. There is nothing stopping someone from creating a fake Gravatar account with you exact image, and a similar email address (if they know yours).
This is a non issue!
Is the running wild with fake comments? No of course not. It happens, occasionally, but its not a big deal at all.
As soon as you start trying to lock things down, you create more problems than the one you are trying to solve.
Open systems work much better. Look at email – are you suggesting we lock that down as well, in order to prevent spam and email hoaxes? As it stands I could easily impersonate you via email. If email wasn’t open then it wouldn’t have spread like it did, and we wouldn’t be using it like we do today.
Gravatar has been around for a long time and I have used it as both a user and developer. As it stands – identity theft via gravatar is not an issue.
Anthony, one of the great things about Gravatar is how open it is and how easy it is to use. This ease creates a vulnerability, that so far has gone largely unexploited. I am not advocating closing the system , as that would not be a solution to the problem. Email is different in this sense since it’s not public. That is huge, as spam can be largely ignored, or deleted, but comments remain a constant permanent public record. I think the best thing Gravatar could add, would be an easy to use interface where the user could see every comment posted with their user ID. While Identity theft has not been an issue in the past, this doesn’t mean that it won’t be in the future.
I can see the clear danger this problem poses, but I think there’s an important point that’s being missed:
The strength of your reputation is determined by how many people know, trust, and believe in your reputation.
If Tim Ferris commented on my blog today and said something that seemed out of context for what little I know about his personality and beliefs, that comment would instantly become less authentic. Tim and myself don’t know each other. We’re not friends. If he commented on my blog today, regardless of what he said, I would have to take it with a grain of salt. The trust in the relationship hasn’t formed.
If Bill Gates or Steve Jobs commented on either of our blogs, would we (or other readers for that matter) take the comment seriously? I doubt it.
On the other hand, if Farnoosh Brock commented on my blog and said something about how Yoga is the most stupid thing in the world, I would instantly know that it wasn’t her talking. Because I know that much about Farnoosh — she loves Yoga.
I agree with Anthony Feint that the systems need to remain open. I also think that while this could potentially be a HUGE problem, time (so far at least) has proven otherwise. It has shown that people are “generally good” and that the few people who misuse the system aren’t going to cause global (or blogosphereical?) havoc.
Credit cards, email, Internet bank accounts, and just online security in general, is a total mess and entirely insecure. I know that, and yet I still bank online. I still use my credit card online. I do these because the convenience combined with being alert and on top of things makes the risk worth it.
If we openly expose ourselves — our opinions, world views, beliefs, etc. — and we focus on building relationships with people and creating social networks where others know who we are, then we won’t have to worry about the occasional misuse of our identity.
In real life, I’ve had people say things about me that were not true. They’ve told these things to my close friends. But none of my friends believed it (or they came to me directly to ask if it was true). This is because I make it clear who I am. I’m honest and trustworthy. I don’t gossip or spread rumors. That’s who I am, and anyone who knows that about me cannot be easily mislead to think otherwise.
Raam, you make a good point on the strength of one’s reputation. Reputations built on a large number of connections and good relationships have a strong foundation. There exists a problem with people you don’t know you that well. The impersonated comments would be believable by them, and they may not even say something to you. Then there is a permanent record (along with your picture) out there on the internet for everyone to see. If you didn’t know Farnoosh Brock and she left a comment about yoga hate, you wouldn’t think twice that it wasn’t her.
I also agree with Anthony Feint. I think the system definitely needs to remain open. So far so good. There has not been a problem or meltdown or anything. The potential for abuse remains high though. I don’t see global havoc being caused by a few bad apples that misuse the system. My worry is that there could potentially be a snowball effect. A few people misuse the system and the havoc gains traction. Should we wait until havoc happens before we look for a solution?
While it would be horrible for the individuals to deal with, it will take much more for a loss of confidence in the system to occur. This loss of confidence could stem from the introduction of bots exploiting this vulnerability.
Currently Akismet does a good job detecting spam bots and their spam comments. It would be easy for someone familiar with bots to modify them for exploitation in a different manner. What if a bot was modified to only leave Raam Dev comments across the blogosphere? They don’t only have to be hateful comments that most people would know didn’t come from you. They could be self promotion ones. Someone could modify a bot to make it look like you were spamming other blogs in an attempt to garner more traffic to your site. In this sense a bot would compound the problem with it’s ease and automation. Gravatar could set a limit on the number of HTTP GET requests at a given time to prevent this. This control would limit the potential damage.
Raam you are right that we shouldn’t worry about the occasional misuse of our identity. I worry about someone dedicated to the constant misuse of our identity. Its great that you have great friends who know that you are honest and trustworthy. I don’t think that you would have a problem clearing your name in the event of bad rumors spread about you from someone trying to damage your reputation. Friends are great and stand by us and listen to us. In real life these interactions are easier because of the dynamic of real life contact. With many “internet friends” these relationships are based largely on text. This can be text from a comment, twitter @ reply, etc. It can be harder to discern what is real and what isn’t in that sense. Also, many role models and famous people have rumors spread about them all the time. Some are true and some aren’t. Sometimes particularly nasty rumors do much damage even if they end up not being true.
While things have been so far so good, the potential for havoc and misuse is HUGE. I hope there can be solutions found that patch this vulnerability and make the system more secure, while still keeping it open. I think it’s better to be one step ahead and try to find solutions to a possible problem, before the vulnerability is exploited and it becomes an actual problem.
Another interesting possible solution would be for Gravatar to keep track of your IP address and detect when it changes. Whenever it changes, you could be prompted to reauthenticate to add your new IP to your Gravatar account.
Speaking of authentication, OpenID could be used to solve this problem too.
I think there are a lot of solutions on the table already. Facebook Connect was a possibility and Disqus has potential.
However, I don’t think the problem can be solved in a big way unless the WordPress developers decide to include something in the core WordPress — otherwise it’s just another plugin or add-on that people need to be convinced to use. Since Automattic runs both WordPress and Gravatar, integrating enhanced Gravatar security in the WordPress core should be relatively straightforward — the problem with the IP address idea I mentioned would be privacy concerns. In fact, it might be worthwhile to poke around the WP development community to see if there are already proposals for this.
The last time I tried Disqus (over a year ago, I think), I quickly stopped using it because I was running into random issues where Disqus was unreachable. To me, that is totally unacceptable. I don’t want the fate of my comments to rest on a third-party. And I imagine the problems aren’t entire fixed either, since I still periodically see Disqus comments that fail to load when I want to leave a comment.
The IP address authentication is a great idea! That would add an entire level of security. Gravatar could make that optional so the wandering nomads and those on the road signing in from internet cafes wouldn’t be nuanced. That is a clever solution Gravatar could look at. They need to address these vulnerabilities now, so OpenID and Facebook Connect don’t make Gravatar obsolete.
The solution definitely will require either a change in the core WordPress or a changes by Gravatar. Facebook Connect, Disqus etc, all have potential, but I think the best solutions would stem from keeping the comments open. Adding another service adds another service to signup for which is another “barrier to entry” for making a comment. Commenting should be easy, simple, and quick. Especially for people not familiar with commenting. It should be intuitive and easy, without the necessity of having to make a new account in order to leave their thoughts.
I also like having control over commenting without the use of a 3rd party service. I see the potential with Disqus, but I like the benefits of not having a 3rd party to go through.
As for the Gravatar IP address idea of yours, what privacy concerns are you talking about? I think it’s great!
For privacy concerns, I’m referring to the fact that an IP address can be used to trace someone. It’s equally as easy to spoof an IP address (actually, a lot easier), but for the majority of people out there, their IP address can be used to discover their location (exact location is tough without access to ISP databases, but not impossible).
Another possible solution would be to have Gravatar store a cookie on your computer once you’ve authenticated. Then every time you post a comment, the cookie is looked up. If it’s not present, Gravatar asks you to login.
But again, potential issues with that are that some people choose to turn off cookies (again, for privacy concerns) and the nuisance of logging in to Gravatar to post a comment might be more than people can handle (they have to remember enough logins as it is).
No, I had never thought about it but obviously I should have! I’ve had a few problems with phishing sites hacking my Twitter account and sending corrupt and destructive messages from my account. What I found is that the people who know me well email to say my account has been hacked, those that don’t know me send angry emails asking why I sent them that rubbish and the read Internet novices open it so the cycle is perpetuated!
The dark side of blogging:(
Annabel, yes; the dark side of blogging… So unfortunate you had your twitter account hacked. Having an account hacked is a horrible thing. Luckily, all the damage is done from a central location (your twitter account) so once you have your account back, secure, and with a new password the damage is contained. With the dark side of Gravatar the damage is not from a central location, and as it currently stands, containment is near impossible. The dark side of blogging indeed.
This discussion has certainly picked up, Mark. I think this is what you were looking for. I have to agree with a lot of what Raam says here in terms of authenticity and knowing people, even though as you said, it takes one to poison the well. On a simpler side, has this kind of feedback been provided to Gravatar developers?
I had one identity theft – Flickr photos stolen and manipulated by a crazy woman who wanted to be me. It was no fun. I took it so hard. I hid all my photos. I disappeared. I cried. I scream profanities at this maniac on the other side of the world. Yahoo/Flickr shut down account after account and slowly, as weeks and months went by, I decided that I am done being afraid and photos and posts will get stolen and losers will continue to thrive on others’ hard work just like they do in normal society – and that it’s good to be vigilant to the point that it does not ruin our sense of freedom and joy in what we love to do, in this case, blogging. All this without discounting the very good points you bring up for us here, Mark! Thank you!
Farnoosh, the discussion has definitely picked up! Chatting with you and Raam Dev has been invaluable in sparking ideas for solutions. I have provided feedback to Gravatar, but have not heard anything back. I am still unsure and to whom would be the best to contact and which way would be the best form of communication.
That’s so unfortunate and evil of that crazy woman to manipulate your photos. I’m so glad you persevered and decided you were done being afraid.
You said, “that it’s good to be vigilant to the point that it does not ruin our sense of freedom and joy in what we love to do”.
Well said Farnoosh, I couldn’t agree more!
While I definitely see your point and agree that anyway they can increase security or authentication would be great. I still think that the benefits out-way the negatives. In fact as a victim of identity fraud I know that this isn’t pleasant.
However, far more fraud comes from people you know or victims of circumstance i.e. you leave your credit card somewhere, than online. I did a paper on this back my college days and although online fraud is increasing and its definitely out there it is not necessarily any worse than regular old identity fraud.
I really like some of the ideas that Raam mentions and definitely think that they would help authenticate comments. However I don’t see how they would stop someone from just copying your picture and creating their own account if they really wanted too.
Good post it seems to have produced some lively discussion.
Dustin, you make a good point about more fraud coming from people you know along with being a victim of circumstance. There is no specific impeding doom regarding Gravatar and the stealing of someone’s internet identity. However, the security loophole and identity threat theft remains. Anything that can be done to increase security without ruining the user experience would be welcomed!
Yes, the benefits far outweigh the negatives, but it’s important to be aware of this Gravatar problem. The discussion has been lively and thought provoking. I keep giving this Gravatar identity theft problem thought. There are so many possible solutions and answers, but many increased security options would take away from the user experience. I am envisioning a crawl or search engine feature where you can see a list of every site that uses your email address to pull in a Gravatar. This would be along the lines of how Google Webmaster Tools has a feature that pulls in links to your website. This would solve the problem of someone obtaining your email address and using it to make fake comments in your name. This still leaves open the possibility of creating fake Gravatar, fake Disqus, and fake OpenID accounts. Maybe a Gravatar report system? Using Facebook Connect? Facebook Connect would make the process more difficult, but still wouldn’t stop it completely.
This article is dumb… nobody steals identities online…
What do you mean? I don’t know if you’re kidding, but this problem must be fixed ASAP! No matter what the cost!!!
Stop fighting guys!! I CAN’T TAKE IT ANYMORE!!!!
Who wants cheezburgers?