1 comment

[ 5.2 ms ] story [ 16.9 ms ] thread
Previous discussion:

https://news.ycombinator.com/item?id=7371176

For sites like Gravatar[1] that generate an image from a given URL:

> In addition to allowing you to use your own image, Gravatar has a number of built in options which you can also use as defaults .... Most of these work by taking the requested email hash and using it to generate a themed image that is unique to that email address.

Not only would it such an attack function as a network DDOS, but could also cause CPU thrashing as thousands of images are generated simultaneously.

There may also a danger of an amplification attack using Gravatar (or a similar site). For instance, from the Gravatar docs:

> If you'd prefer to use your own default image (perhaps your logo, a funny face, whatever), then you can easily do so by supplying the URL to an image in the d= or default= parameter.

Which will cause a Gravatar server to fetch the image in question.

So - in the Google spreadsheet an attacker could also add an additional Gravatar line for each image, doubling the number of requesting servers with little extra effort.

[1] https://en.gravatar.com/site/implement/images/