Make WordPress Core

Opened 8 years ago

Last modified 7 days ago

#14682 reopened defect (bug)

Privacy leakage: gravatars leak identity information — at Initial Version

Reported by: jmdh Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.0
Component: Comments Keywords:
Focuses: Cc:


If a commenter on a blog leaves a comment without having a log in to the site, and the "Comment author must fill out name and e-mail" preference is enabled for the blog, the author must provide an email address. The form for this says "Mail (will not be published) (required)"

It's true that the email address itself is not published, but if the site has gravatars enabled, the persistent identity of the commenter is nonetheless revealed. Together with inspection of other posts where the commenter has chosen to reveal their identity, on the same blog or other blogs, or a brute-force approach taking a known email address to find postings attributed to them (using a global search engine) this results in a complete loss of anonymity.

At the bare minimum, the user should be aware of this, so that they can choose not to comment; preferably, the software should be changed so that gravatars are not used for these sorts of posts (or made configurable, in combination with the user being made aware).

Change History (0)

Note: See TracTickets for help on using tickets.