[wp-trac] [WordPress Trac] #14682: Privacy leakage: gravatars leak identity information

Wed Aug 25 17:22:47 UTC 2010

#14682: Privacy leakage: gravatars leak identity information
-----------------------------+----------------------------------------------
 Reporter:  jmdh             |       Owner:                 
     Type:  feature request  |      Status:  new            
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Comments         |     Version:  3.0.1          
 Severity:  normal           |    Keywords:                 
-----------------------------+----------------------------------------------
Changes (by Denis-de-Bernardy):

  * type:  defect (bug) => feature request
  * component:  Security => Comments

Old description:

> If a commenter on a blog leaves a comment without having a log in to the
> site, and the "Comment author must fill out name and e-mail" preference
> is enabled for the blog, the author must provide an email address. The
> form for this says "Mail (will not be published) (required)"
>
> It's true that the email address itself is not published, but if the site
> has gravatars enabled, the persistent identity of the commenter is
> nonetheless revealed. Together with inspection of other posts where the
> commenter has chosen to reveal their identity, on the same blog or other
> blogs, or a brute-force approach taking a known email address to find
> postings attributed to them (using a global search engine) this results
> in a complete loss of anonymity.
>
> At the bare minimum, the user should be aware of this, so that they can
> choose not to comment; preferably, the software should be changed so that
> gravatars are not used for these sorts of posts (or made configurable, in
> combination with the user being made aware).
>
> I would suggest closing as wontfix.

New description:

 If a commenter on a blog leaves a comment without having a log in to the
 site, and the "Comment author must fill out name and e-mail" preference is
 enabled for the blog, the author must provide an email address. The form
 for this says "Mail (will not be published) (required)"

 It's true that the email address itself is not published, but if the site
 has gravatars enabled, the persistent identity of the commenter is
 nonetheless revealed. Together with inspection of other posts where the
 commenter has chosen to reveal their identity, on the same blog or other
 blogs, or a brute-force approach taking a known email address to find
 postings attributed to them (using a global search engine) this results in
 a complete loss of anonymity.

 At the bare minimum, the user should be aware of this, so that they can
 choose not to comment; preferably, the software should be changed so that
 gravatars are not used for these sorts of posts (or made configurable, in
 combination with the user being made aware).

--

Comment:

 Replying to [comment:5 jmdh]:
 > Firstly - is it customary on this trac instance to edit the description
 with commentary? Since there is no built-in attribution it might confuse
 other people reviewing the bug.

 The close keyword should have been added instead.

 Leaving this as a feature request, since nothing is technically
 dysfunctional.

 I'm itching to close the ticket. It seems to me that highlighting the
 problem to the end user (a notice in the comment form, explaining that
 entering an email will reveal the avatar attached to it), and implementing
 the workaround (aka a "Show my Avatar" checkbox in the comment form), can
 (should) both be done in a plugin or in the theme. There's a get_avatar
 hook in get_avatar(), and comments can have a meta field.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/14682#comment:8>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software