PII leak: Signup flow says email is "Never shown to the public", then uses it for Gravatar

On a default installation of Discourse, the signup pane asks for an email. It says this email is “Never shown to the public”. But upon completing the flow and being signed up, before the user has any chance to edit their profile or do anything, the email address is used to fetch an avatar from Gravatar.

I would consider this a leak of personally identifying information. A Gravatar could, in principle, be correlated with someone’s identity and therefore their email address. The user has the chance to change the avatar, but it is possible in principle for someone to see the account and attached avatar before the user has done anything, using the public “Users” list. Gravatar support is a great feature, but the problem is Discourse specifically creates an expectation that the email address is private using the language in the Sign Up box itself: “Never shown to the public”.

I think the best way to fix this would be to either alter the sign up box text to create a different expectation, or have a checkbox/confirm for “fetch avatar with gravatar”.

I encountered this on the Letsencrypt forums, but testing I can confirm the same behavior is on try.discourse.org and this forum (meta.discourse.org).

2 Likes

You can’t define “the public” as gravatar, especially since the request is direct from the server to a gravatar server, via encrypted https. And isn’t the hash of the email used?

5 Likes

Yes:

https://github.com/discourse/discourse/blob/master/app/models/user_avatar.rb#L23

@mcc after reading the code do you still consider this to be a PII leak?

6 Likes

I presume the PII here is the content of the image itself. You may not want the public knowing who you are when you sign up for a Discourse site with your email address, especially since it says that your email will be private.

In other words, I sign up under some random username to protect my privacy, but use my normal email address. Based on the “never shown to public”, I would not expect my image to instantly be tied to that account for anyone to see.

I am finding this impossible to parse.

You uploaded your image to gravatar, associated to your email because you want it to follow you around everywhere you use the internet. If you don’t want it following around don’t upload it to gravatar.

:woozy_face:

9 Likes

Agreed, and gravatars aren’t unique.

A gravatar isn’t PII by definition - it’s public PII which is a separate category. The hash by definition is one-way.

Anyone who is serious about privacy isn’t using the same email everywhere, linked with a gravatar. Even plus addressing defeats it.

Email addresses are also considered public PII as they can in some cases reveal gender, age and location in addition to a name.

Just as a middle ground, is it too hard to add an optional opt-out (or in) to the Avatar getting searched in Gravatar?

2 Likes

This site setting already exists:

image

8 Likes

The standard security risk of hash reversing and Gravatar visitor tracking risk is avoided in Discourse because the server actually downloads the image.

If you have multiple emails with the same avatar (as I do), it is not possible to figure out which one I signed up to a forum with unless you are Gravatar. Discourse does not keep or publish an avatar history, so the user workaround is fairly simple (switch back to a letter or upload a new image). And you can always upload someone else’s avatar manually.

This doesn’t seem like a reliable attack to execute.

6 Likes