All Vendors
platform

Gravite

Gravite deploys consent bypass infrastructure for generic platform functionality. Zero Oracle/Broker risk, but Counselor violations create liability for tooling with unclear business justification.

27 IOCs10 detections100% pre-consent10 sites
70
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Gravite discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

10 detections across 10 sites100% pre-consent activity
CRITICAL

Pre-Consent Activity

Gravite was observed loading and executing before user consent was obtained on 100% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps
Customer Impact

What This Means For You

Engineering teams inherit consent violation liability for platform tooling with unclear value proposition. Legal teams must defend privacy violations for infrastructure that likely has compliant alternatives. Budget owners pay for capability that creates regulatory risk without documented benefit.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Gravite

  • Audit current Gravite deployment: what functionality does it provide?
  • Contact vendor for consent-first integration documentation
  • Request technical architecture review: can functionality work post-consent?

If You're Evaluating Gravite

  • Demand vendor demonstrate business necessity for pre-consent loading
  • Require contractual liability assumption for all consent violations
  • Identify replacement: what does Gravite do that requires privacy violation? Find privacy-safe alternative.

Negotiation Leverage

  • Gravite creates consent liability for generic platform functionality with no documented business necessity
  • Vendor must provide consent-first architecture or accept 100% liability for regulatory penalties
  • Generic infrastructure should not require privacy violations - request technical justification or migrate to compliant alternative
  • Current deployment exposes organization to fines for tooling that likely has privacy-safe replacements
Runtime Detections

Runtime Detections

1 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Platform infrastructure loads before user consent opportunity, creating per-visitor GDPR Article 7 violation. Generic tooling amplifies regulatory risk - enforcement agencies prioritize violations with no documented business necessity.

IOC Manifest

IOC Manifest

10 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.gravite.net/_partials/wix-thunderbolt/dist/clientWorker.*.bundle.js*
Tracking script
TRACK
www.gravite.net/_partials/wix-thunderbolt/dist/clientWorker.358349ea.bundle.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Gravite operates as platform infrastructure, competing with generic analytics/CDN frameworks. Limited differentiation observed - functionality appears replaceable with privacy-safe alternatives. No unique capability identified justifying consent bypass risk.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

27 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details