OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Tor Browser false positive

Published June 8th, 2015 at 8:07 AM EDT , modified June 8th, 2015 at 8:07 AM EDT

A reader yesterday brought to my attention that his web browser was alerting him that The Safe Mac is trying to extract HTML5 canvas image data, with a scary-sounding warning that this could be used to identify the computer. Of course, I knew that this site does no such thing. Which left me questioning what browser was making this claim, and why?

Tor Browser false positiveThe answer came this morning in a tip from a friend, who pointed out that it was Tor Browser that was showing this warning. But why, and what exactly does this cryptic warning mean? Sure sounds scary!

This warning is meant to alert the user to sites using a form of tracking called canvas fingerprinting. Essentially, canvas fingerprinting allows a site to use a trick involving the HTML5 canvas tag to gather information that can be used to uniquely identify a computer. This can be used to track users in cases where the user has blocked the creation of cookies, in an attempt to prevent tracking.

Sounds like a good idea to prevent this kind of thing and alert the user, right? Except for the fact that I know for a fact that I’m not doing any kind of tracking whatsoever here. So why was this site being flagged?

Looking at my site’s code, it turned out that there was some JavaScript code being added by WordPress that included a call to create and manipulate an HTML5 canvas element. A little digging showed that this code was added in the WordPress 4.2 update, and provides enhanced support for emojis. I don’t particularly care one way or the other about emoji support on my site, so I added the following lines of code to my theme’s functions.php file:

remove_action( 'wp_head', 'print_emoji_detection_script', 7 );
remove_action( 'wp_print_styles', 'print_emoji_styles' );

This removed those lines of JavaScript code and stopped Tor Browser from alerting on my site. Unfortunately, this means that Tor Browser will be showing the same warning for all WordPress sites that have 1) updated to version 4.2 or later, and 2) not done something like the above to remove the emoji code.

WordPress runs approximately 1/5 of all websites, according to some recent statistics. Due to this popularity, WordPress sites have also been frequent targets of attacks for a long time, and for that reason, keeping WordPress up-to-date is extremely important, to prevent exploitation of any known vulnerabilities in the previous version. Thus, any responsible WordPress admin will have updated to version 4.2 as soon as it became available. And yet, these responsible WordPress admins will also have unwittingly caused their sites to be flagged as a potential privacy risk as a result.

Unfortunately, these kinds of false positives are all too common, and can have a severe negative impact on a website’s reputation. Two years ago, when this site was still new, I struggled with The Safe Mac falsely being identified as a malware site. Last year, Avast decided to identify my site’s RSS feed as malware (which really didn’t make any sense at all). And now this.

I’ve rolled with the punches, but have to wonder how many people have been turned away from my site by such issues, believing that it was a malicious site and never returning. Ultimately, when it comes to such security tools, the information they give you can be useful, but it must be taken with a grain of salt! Small sites can be, and have been, destroyed by such issues, through no wrongdoing on the part of the site owner. Do your homework, and determine for yourself whether it seems like a false positive or a real warning.

Tags: , ,

6 Comments

  • iEscape says:

    I read about that too on security.nl website >> titel: Malware valt Mac-gebruikers aan via lek in MacKeeper:
    https://www.security.nl/posting/431093/Malware+valt+Mac-gebruikers+aan+via+lek+in+MacKeeper

    >> see post #5 05-06-2015, 14:19 door Anoniem

  • Canvas fingerprinting ? (no ;) says:

    Hello Thomas,

    Yesterday’s reader here.
    Thank you for answering this question in the post yesterday.
    And also not being to much offended by the a bit using stronger assumptions then reality know seems to accept, as a result of the discovery of a seems to be bug in Torbrowser with WP-code cooperation.

    Your solution did work. I did not get ‘the warning as a service with the “may-word” ‘ anymore with Torbrowser 4.5.1 and also not visiting your website with an older version.

    Who is the blame? Is there someone to blame?
    At least I could have used a bit less stronger assumptions on this notice-matter unless the already explained extra reason for it to find that reasonable enough to choose the words I used.
    My excuses for the assumption that it seemed that you used this kind of tracking techniques on your website for profiling visitors while it know seems to be a new and independent technical problem in the discooperation of WP code and Torbrowser code.

    To me, it seems hard to say that Torbrowser did bad coding-work on this matter because both Torproject and WordPress came in the same time with changes in their code.
    WP on april 23 with 4.2, Tor with a very updated/changed Torbrowser 4.5 version on april 29 and another version on may the 12th.

    Looking further for illustrations of your conclusions, I went to a wordpress site, a page without emoticons but it indeed did have code that triggered a Torbrowser warning (only if you allow the execution of active javascripts on that domain!).

    https://wordpress.org/news/2015/05/wordpress-4-2-2/

    This is the code and I think this is the code you had on your pages as well 😉

    window._wpemojiSettings = {“baseUrl”:”https:\/\/s.w.org\/images\/core\/emoji\/72×72\/”,”ext”:”.png”,”source”:{“concatemoji”:”https:\/\/wordpress.org\/news\/wp-includes\/js\/wp-emoji-release.min.js?ver=4.3-alpha-32707″}};
    !function(a,b,c){function d(a){var c=b.createElement(“canvas”),d=c.getContext&&c.getContext(“2d”);return d&&d.fillText?(d.textBaseline=”top”,d.font=”600 32px Arial”,”flag”===a?(d.fillText(String.fromCharCode(55356,56812,55356,56807),0,0),c.toDataURL().length>3e3):(d.fillText(String.fromCharCode(55357,56835),0,0),0!==d.getImageData(16,16,1,1).data[0])):!1}function e(a){var c=b.createElement(“script”);c.src=a,c.type=”text/javascript”,b.getElementsByTagName(“head”)[0].appendChild(c)}var f,g;c.supports={simple:d(“simple”),flag:d(“flag”)},c.DOMReady=!1,c.readyCallback=function(){c.DOMReady=!0},c.supports.simple&&c.supports.flag||(g=function(){c.readyCallback()},b.addEventListener?(b.addEventListener(“DOMContentLoaded”,g,!1),a.addEventListener(“load”,g,!1)):(a.attachEvent(“onload”,g),b.attachEvent(“onreadystatechange”,function(){“complete”===b.readyState&&c.readyCallback()})),f=c.source||{},f.concatemoji?e(f.concatemoji):f.wpemoji&&f.twemoji&&(e(f.twemoji),e(f.wpemoji)))}(window,document,window._wpemojiSettings);

    Although I am not related in any way to Torproject.org, just a reader and poster with opinions on different matters, I do have another opinion on this that I like to share. Not it the least because I did post here earlier.

    quote
    “Unfortunately, these kinds of false positives are all too common, and can have a severe negative impact on a website’s reputation.”

    These kind of false positives do not seem to be that common (on that kind of a regular basis), It’s not that Torbrowser is full of bugs and giving warning’s on every site for a long time. Torbrowser is a modified version of the Firefox ESR version.
    We are talking here about some sort of a new discovered bug that is not there for a long time. A bug that has to be solved off course and has to be reported/addressed at Torproject as well.

    ‘As shit happens’, bugs are part of the software developing deal, reason why (hopefully all) software is evolving with many following-up versions as even your software did as well, having different names and versions as well TSM, Adnuke, Admedic, Adwaremedic.
    I earlier did refer to a part of your TSM software function, more specific the output of the “TSM System Reporter.scpt” that could be sended by email, a function that I believe, you decided to modify/change/delete in later versions for which I think was a very good idea from a privacy and security perspective.

    Widespread reputation damage? I heavily doubt if there’s a severe reputation damage.
    In the first place this problem is relatively new, in the second place the marketshare of Torbrowser users compared to the usual browsers like Safari, Google Chrome, Firefox, Opera is really small.
    Not last nor least as you mention yourself, people are responsible themselves to interpret the warning Torbrowser is giving and to decide if they accept the execution of the canvas scripts or not!
    Standard option is “Not Now”, we all know what people do if they get a message warning, make an effort to get rid of it and go on with what they were doing.

    quote
    “That’s an excellent example of the kind of damage this kind of thing does.”

    Did you actually try to read the information that the other poster here referred to?
    https://translate.google.com/
    Like the “may” warning Torbrowser uses, a poster in that topic is using the expression “seeming to” and asking other readers if they can look at this javascript code (that you now have removed) and can confess or deny if the canvas tracking is the case here.
    Nobody actually did answer to that question which is not that surprising on blogs, same thing about strong opinions.

    Any reputation harm done?
    I think your new article on this matter now has a bigger reach an impact on readers.

    One more thing,
    talking about good advertisement and a big impact.
    Don’t know where I precisely did see it but I remembered that (good publicity).
    Did you know that Apple help pages functionality in Yosemite is actually referring to your website when it comes to “Reed more” 😉 about kinds of malware (catalog) for the Mac?

    I already did promote your adwaremedic product and articles and I will continue to do so. Beside that I probably will be a critical reader as well, but and I hope that this extra opinion effort cleared things out in a good way.

    Goodbye

    • James says:

      He never said “these problems with Tor are all too common”, he said “these problems are” which is true. He’s not attacking Tor or Word press, like you attacked him.

  • Sacha says:

    Gosh, interesting information. I use WordPress on my website too and I was always a bit curious about the emoji code in the 4.2.2 update.

  • Canvas fingerprinting ? (No?,ButYesOneCould!) says:

    ‘WordPress started ;)’ *

    More people noticed and discussed this attention warning already for more than 6 weeks

    26 avril 2015
    https://reflets.info/wordpress-4-2-tor-browsers-and-canvas-privacy-warning-prompt/

    6 weeks ago ticket on wordpress.org
    https://core.trac.wordpress.org/ticket/32138

    1 ‘month’ ago discussion
    https://wordpress.org/support/topic/42-admin-canvas-tracking?replies=10

    Despite the discussion one can have if/when canvas tracking is a useful tracking method, it seems that the new WordPress emojji code can actually be used for user tracking.
    And if it’s possible … it will probably used in the future.

    It’s just a matter of a little hash to store.

    Generate your own here (besides reading the article 😉
    https://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtually-impossible-to-block

    Posted a question about this warning matter on the torproject.org site.
    A question wich is not approved and placed yet.
    Maybe in the meanwhile the WordPress emojji canvas inventors consider this matter as worth to look at and reconsider too (even for those ‘tiny group’ of privacy minded people).

    Quote
    “If you want to make your case to the developers, start by filing a bug report, and make sure to include everything you’ve shared here (don’t just link to the thread).

    If you make a strong enough case as to why the entire operation of the emoji/smilies and video player system needs to change for a very small minority of users, they might re-consider it.”

    Lets’ see wat the outcome will be on both sides, WordPress and Torproject.
    In the meanwhile only Torbrowser users will see this warning and probably just click “Not Now” and read on.

    Goodbye

    * Just a little ‘title teaser’ 😉

This post is more than 90 days old and has been locked. No further comments are allowed.