Journal d'investigation en ligne et d'information‑hacking
par bluetouff

Wordpress 4.2 : Tor Browser’s and Canvas privacy warning prompt

The Tor Browser is known to be used by activists, journalists, and people who need a high level of privacy while they're surfing. Every possible way to track people on Internet are a serious concern for the Tor developers because anonymization doesn’t support approximation and leads to take decisions that could seem "over-paranoid" to others developpers communities. Description In previous Wordpress versions (prior to 4.

The Tor Browser is known to be used by activists, journalists, and people who need a high level of privacy while they're surfing. Every possible way to track people on Internet are a serious concern for the Tor developers because anonymization doesn’t support approximation and leads to take decisions that could seem "over-paranoid" to others developpers communities.

Description

In previous Wordpress versions (prior to 4.2) Gravatar was already known to be detected as tracker by some tools like Ghostery. But with gravatars disabled, only logged in users get the warning due to the admin bar. 4.2 update on wp-includes/formatting.php introduced a new way to check if emoji are enabled or not, injecting in wp-head an emoji detection script using canvas.

`

window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/72x72\/","ext":".png","source":{"concatemoji":"https:\/\/mywebstite.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=4.2"}};

!function(a,b,c){function d(a){var c=b.createElement("canvas"),d=c.getContext&&c.getContext("2d");return d&&d.fillText?(d.textBaseline="top",d.font="600 32px Arial","flag"===a?(d.fillText(String.fromCharCode(55356,56812,55356,56807),0,0),c.toDataURL().length>3e3):(d.fillText(String.fromCharCode(55357,56835),0,0),0!==d.getImageData(16,16,1,1).data[0])):!1}function e(a){var c=b.createElement("script");c.src=a,c.type="text/javascript",b.getElementsByTagName("head")[0].appendChild(c)}var f;c.supports={simple:d("simple"),flag:d("flag")},c.supports.simple&&c.supports.flag||(f=c.source||{},f.concatemoji?e(f.concatemoji):f.wpemoji&&f.twemoji&&(e(f.twemoji),e(f.wpemoji)))}(window,document,window._wpemojiSettings);

`

This new addition, even with emoji disabled, and logged off , leads the Tor Browser to print the following warning message

Wordpress owners running a website with high privacy concerns cannot let the highly trustable Tor browser giving an alert prompt to each reader about a possible privacy issue on their website. The ability to let Tor Browser users allow or block canvas hash decoding fearing a malicious use has been discussed here and here and appears in Tor Reference documentation as a fingerprinting threat.

"We display the warning if websites attempt to render image data and then silently extract it, because this is a major, high-entropy, highly stable fingerprinting vector.""After plugins and plugin-provided information, we believe that the HTML5 Canvas is the single largest fingerprinting threat browsers face today. Initial studies show that the Canvas can provide an easy-access fingerprinting target: The adversary simply renders WebGL, font, and named color data to a Canvas element, extracts the image buffer , and computes a hash of that image data. Subtle differences in the video card, font packs, and even font and graphics library versions allow the adversary to produce a stable, simple, high-entropy fingerprint of a  computer. In fact, the hash of the rendered image can be used almost identically to a  tracking cookie by the web server."

Even if this not a security issue with Wordpress, i guess the Wordpress community should reconsider the use and implementation of this feature which is not critically useful for most of us, considering trust and privacy are useful an critical for vulnerable people who use Tor to protect themselves.

How to disable ?

If you want to disable this feature to avoid this useless warning on a clean / no tracking website, you have 2 solutions :

  • The quick & dirty way  : editing the wp-includes/formating.php and removing the code shown above ;
  • The quick & smart way : adding the following line in wp-includes/formating.php to avoid this code to be injected in wp-head : remove_action( 'wp_head', 'print_emoji_detection_script', 7 );

We hope the Wordpress team will consider this issue. Even if it's not related to security, it's related to trust, the trust between : over-paranoid people who sometimes have good reasons to be such paranoid and website owners who try to run a state of the art Wordpress for privacy, just like it should be out of the box.

Thanks to @recifs, @ScreenFeedFr & Yoshi for alerting us and helping us to fix.

0 Commentaires
Une info, un document ? Contactez-nous de façon sécurisée