News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • If you have an avatar (a picture) here on AskWoody, make sure Gravatar doesn’t have any personal data

    Posted on October 4th, 2020 at 10:20 Comment on the AskWoody Lounge

    Ax Sharma at BleepingComputer published an article that shows how a sufficiently motivated cracker can scan all of the entries at Gravatar.com and pick up personal information there.

    If you have an avatar here on AskWoody (or on any other WordPress-based site), you have an entry in the Gravatar database. That’s where WordPress (and other sites) pick up your picture. Your picture is indexed by email address – your username on AskWoody doesn’t make any difference. The picture gets picked up by matching the email address you have associated with your AskWoody account, with an email address in the Gravatar database.

    Gravatar is owned by WordPress.

    Since this new scraping technique can pull data from Gravatar, you might want to double-check and make sure you don’t have any sensitive info stored over there. It’s easy.

    Step 1. Go to Gravatar.com

    Step 2. In the upper right, click Sign In. Enter your email address and your Gravatar password (not your AskWoody password). Click Continue and Sign In.

    Step 3. Click My Profile. You see the settings in the screenshot.

     

    Step 4. Work through the entries on the right side and make sure there’s absolutely nothing there that you want to have snooped.

    Step 5. If you changed anything, click Save Profile.

    To be clear, this hack has nothing to do with WordPress itself, nor with AskWoody. But if you’ve set up an avatar for use on AskWoody or any other WordPress site, you should make the effort now to ensure that there’s nothing in the Gravatar database that you don’t want scarfed up for posterity.

    A reminder that AskWoody maintains the absolute minimum amount of information necessary to keep the site going — your username, the email address you used to create the account, your Plus membership status, and any additional info you may have stored, including your signature if you created one. Your password is stored in a one-way salted hash, which means that anyone reading the AskWoody database wouldn’t be able to figure out your password.

    Of course, we don’t store any payment information on AskWoody.com, or anything else worthy of tracking.

    Thx @Microfix, @Kirsty, @PKCano…