👋 Welcome to The OSINT Newsletter. This issue is a guest post from Tactical OSINT Analyst, a prolific contributor to the open source intelligence community. He shares a lot of his work on his GitHub profile and frequently posts updates on X. In this issue, he shows you how you can turn a Gravatar profile that returns a 404 into a rich source of data for OSINT.

🙏 I wanted to extend a special thanks to paid subscribers and advertisers. Without you, there wouldn’t be a writer’s fund to bring different perspectives on open source intelligence to this publication. All writers are compensated for their work and as more subscribers choose to upgrade, their compensation will also increase.

🚨 If you’re interested in writing for The OSINT Newsletter, please reply to this email with your background, a few examples of your previous work, and a few ideas you have for this publication. This issue is a great example of the type of content I’m looking for!

🪃 In case you missed recent newsletters, here are a few links to help you catch up.

The OSINT Newsletter - Issue #25

Jake Creps

·

October 9, 2023

Read full story

The OSINT Newsletter - Issue #24

Jake Creps

·

October 2, 2023

Read full story

Let’s get started. ⬇️

Introduction

Gravatar, which stands for Globally Recognized Avatar, is a service by Automattic that allows users to assign a unique avatar to their email addresses. This avatar is then used across various online platforms, forums, and websites. While Gravatar is an immensely useful service, it is essential to be aware of potential vulnerabilities and oversights that can be exploited for Open Source Intelligence (OSINT) purposes. And this is what we are going to do, as OSINT Analysts we have to know how to take advantage of various bugs and vulnerabilities.

Background

You only need to upload your image and create your public profile once. So, from that point on, whenever you hop on a Gravatar-enabled website, your Gravatar image and public profile will simply come along with you each time.

Gravatar is a free service for site owners, developers, and users. It is automatically included in every WordPress.com account and is run and supported by Automattic.

If your target has a WordPress account, you know you are going to find something on Gravatar.

How do you know when your image will appear?

For your Gravatar to appear on other sites you choose to use, interact with, or comment on, here is an overview on what has to happen:

• The website you're on must support the Gravatar service. While many platforms and blogs already integrate this feature, it's not universal. Big platforms like Facebook, Twitter, and LinkedIn still haven't adopted Gravatar.

• Ensure the email address tied to your profile on other platforms matches the one registered to your Gravatar account. Gravatar relies on your email to deliver your image across sites. If your email isn't in the Gravatar system, your image simply won't show up.

• Check your Gravatar's rating against the site's allowed ratings. Many platforms limit Gravatar visuals to G or PG ratings. For instance, WordPress.com's default setting only allows G-rated images. If your Gravatar exceeds the site's permissible rating, it'll default to a standard image instead of your selected Gravatar.

JSON Profile Data

Here’s how Gravatar defines JSON:

JSON is a nice, lightweight format which is relatively terse and provides for a simple way to encode complex information. There are libraries (or native support) for it in most programming languages now, including Javascript, which makes it a perfect cross-language encoding format. Requesting profile data in JSON is a simple process and gives you immediate access to all open profile information.

More about JSON Profile Data

Be aware that you can append .json after any profile link to get the data in JSON format. You can find some interesting information such as the email MD5 hash, which can then be decoded to provide the user's email address.

You can get:

• Full name

• Display name

• About me (Data about the user)

• Given name

• Family name

• Social network accounts

Reverse searching with the email MD5 hash

All URLs on Gravatar are based on the hashed value of an email address.

Images and profiles are accessed via the hash of an email, and it is the first and primary way of identifying a Gravatar user.

I have an MD5 hash of an email and would like to know more and to check if there is anything on Gravatar.

So we can reverse search by doing it this way:

This will then take us automatically to the user if the user used Gravatar.

Unfortunately, we get a 404, this means the user has never existed or deleted his/her profile.

In OSINT, and during investigations, you should not give up and always try pushing harder and further, and I must admit that I am never one to quit easily.

Searching for new techniques

I enjoy exploring new OSINT techniques and vulnerabilities. I became familiar with the JSON profile format because I've been actively contributing to the WhatsMyName Project over the past few months. I've also had the privilege of learning from Webbreacher, a renowned figure in the OSINT community. He's always willing to share his knowledge, and I've gained valuable insights while collaborating with him to expand the coverage of WhatsMyName to include many new websites.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research. This post has been paywalled to prevent wide scale abuse of this technique. Unfortunately, this is the world we live in these days.

By upgrading to paid, you’ll get access to the following:

🔎 A step-by-step guide to finding additional information about a Gravatar profile with a 404 error.

🥷 Learn how to reverse an MD5 hash into an email address.

✍️ Help support The OSINT Newsletter freelance writer fund.

👀 Access to all paid posts in the archive. Go back and see what you’ve missed!