What stops someone from impersonating your Gravatar email?
-
I’m mostly just curious, but I use WordPress on my website and use WordPress comments on variouswebsites. On these websites to login and comment all I need to enter is my name and email address, it doesn’t ask for a password or anything.
On the dashboard of my own site, I can easily see the used email addresses of my readers. Hypothetically, a person could use that information to impersonate someone.
As a curiosity about security concerns I’d like to ask, without a hidden password what stops a Gravatar account from being impersonated?
-
I tagged this thread for Staff to take notice of your concern and respond here to you. To subscribe look in the sidebar of this thread, find the subscribe to topics link and click it.
-
-
-
I use WordPress on my website and use WordPress comments on variouswebsites. On these websites to login and comment all I need to enter is my name and email address, it doesn’t ask for a password or anything.
Are you talking about using your WordPress.com credentials to comment on a non WordPress.com site?
Could you give me an example of a site where you use this process to comment?
-
@lizthefair
I think what the OP is referring to is that we have the option to set our sites to allow anyone to comment by just entering a username and email address, i.e. they don’t have to be registered users on WP.com and don’t need to comment via a social media account. My discussion settings are set like that, for example.What the OP is asking is, what prevents someone else from entering my username and email instead of their own when commenting on a site with those settings.
-
What the OP is asking is, what prevents someone else from entering my username and email instead of their own when commenting on a site with those settings.
If you try to post a comment using an email address connected to a WordPress.com account on another WordPress.com site without being logged into the account, you get this error message:
You are being asked to login because (email visible only to moderators and staff) is used by an account you are not logged into now.
I was asking the OP about the specific site she was referring to because while I suspect something similar would happen if one tried to use a Gravatar account to post a comment on a non WP.com site I wanted test that idea first.
-
-
For example, on my website http://www.selkiecomic.com, as well as a few other webcomic sites like http://www.skin-horse.com, all it ever asks people for is the username and email address. AFAIK there’s no wordpress connection needed to pull up your Gravatar. You can enter your username and email without being logged in to WordPress and it pulls up your Gravatar.
-
Thanks for clarifying, strawberrycocoa. You are right, when sites other than WordPress.com use Gravatars for comment avatars, they are not verified, just like there is no way to know that any e-mail address entered into a comment field really belongs to the comment author.
This is really just a natural consequence of how the service works. It’s meant to be an easy way to display user images, so we don’t want to add layers of authentication to block that ease.
It’s also a good reminder that you only want to share your email address with sites you trust, and that having a comment from someone, even if it has a Gravatar, is not proof the person is who they say they are.
- The topic ‘What stops someone from impersonating your Gravatar email?’ is closed to new replies.
WordPress.com Forums 