Support » Fixing WordPress » Admin canvas tracking

  • Hey,

    I just updated to 4.2 and since then, on every page in the Admin Section, WP tries to read a hidden canvas.

    Why is this happening and how can I turn this off ?

    I found this very worrying to have some sort of tracking enabled in the admin section, even when writing posts. With this its possible to track who has posted what. Don’t like this.

Viewing 15 replies - 1 through 15 (of 18 total)
  • Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    There shouldn’t be any tracking in WordPress’s standard Dashboard, though it might be added by something else.

    Try deactivating all plugins. If that resolves the issue, reactivate each one individually until you find the cause.

    If that does not resolve the issue, try switching to the Twenty Fifteen theme to rule-out a theme-specific issue (theme functions can interfere like plugins).

    Hello,

    I tried to investigate a little. The fact is this might be a privacy issue related to the 4.2 update. The warning occurs with an uptodate TorBrowser on every 4.2.
    So i tried to deactivate all my plugins and switch to fifty* themes, on several wordpress. The warning still occurs on 4.2, but not on 4.1.2.
    Looking further, this might be connected with gravatars or emoji integration in wordpress.

    Thread Starter James Kook

    (@sirsatras)

    Hi Tested the following:

    Deactivated all Plugins = no difference
    Switched to default Template = no difference
    Reinstalled 4.2 from Admin Manu = no difference

    Will try to do a clean install, but I guess it will be still the same.

    I’m using Firefox and made sure Canvas are not not read automatically Du to Tracking:
    http://www.w2spconf.com/2012/papers/w2sp12-final4.pdf

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Using Ghostery on a fresh install of WordPress 4.2, the only “tracker” it is finding and blocking is Gravatar, which is actually the service WordPress uses for avatars, not a tracker (Ghostery considers it a third-party widget).

    Via dev tools, WordPress is not loading any cookies or frames outside of the domain itself.

    The PDF you linked to is referring to the <canvas> element, which “allows for dynamic, scriptable rendering of 2D shapes and bitmap images. It is a low level, procedural model that updates a bitmap and does not have a built-in scene graph.” It is not used for tracking.

    https://en.wikipedia.org/wiki/Canvas_element

    In the WordPress code itself, the canvas element is used for Emoji/Smilies and some video player elements.

    The tracking strategy outlined in the PDF suggests that use of <canvas> elements may contribute to a browser fingerprint, which “is information collected about a remote computing device for the purpose of identification. Fingerprints can be used to fully or partially identify individual users or devices even when cookies are turned off.”

    https://en.wikipedia.org/wiki/Device_fingerprint

    The primary attributes to a browser’s fingerprint are still largely the user agent, installed plugins/extensions, and window size. It is very unlikely that <canvas> usage offers any beneficial data for a fingerprint, or any beneficial data beyond what your browser already shares.

    If you’re interested, you can see just how unique your browser’s finger print is, and all of the elements that go into it, at https://panopticlick.eff.org/

    In short, there is no tracking the WordPress Dashboard. <canvas> is used for legitimate reasons, cannot be used for tracking, and may only contribute a negligible amount of data towards your browser’s fingerprint.

    As explained here https://reflets.info/avertissement-de-confidentialite-sur-wordpress-4-2/ (sorry it’s in french), i really trust WordPress enough, but the fact is Tor browser detects it like a possible privacy issue by default and gives a prompt to allow or block it. The issue points the hash of the rendered image which can be used as tracking cookie.

    https://trac.torproject.org/projects/tor/ticket/7084

    http://tor.stackexchange.com/questions/3283/html5-canvas-security-flaw

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Yep, as mentioned, it’s a potential component of a browser fingerprint, just like the plugin/extensions you use, your window size, etc. Nothing more.

    It’s not a security issue.

    It’s a standard HTML5 tag being used legitimately in WordPress that some lousy people found a way to use as a tiny portion of barely identifying information.

    Tor has chosen to react the way they do because the Tor browser is designed to block all potentially identifying information. (which is kind of a moot point if you’re logging in to your account anyway)

    The fact is since 4.2, you don’t even need to be logged to get the warning 😉

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Then I guess don’t use smilies, emoji, or the video player.

    Really, it’s not a security problem, and there warning is a bit over-paranoid.

    I agree it’s a bit over-paranoid for a lot of us, but people using tor feel concerned with that kind of warning… in some countries they are right to be over-paranoid.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    If you want to make your case to the developers, start by filing a bug report, and make sure to include everything you’ve shared here (don’t just link to the thread).

    If you make a strong enough case as to why the entire operation of the emoji/smilies and video player system needs to change for a very small minority of users, they might re-consider it.

    https://make.wordpress.org/core/handbook/reporting-bugs/

    Thread Starter James Kook

    (@sirsatras)

    Hi,

    I did remove all files form my webspace, apart from the config and contend folder. Then I re-uploaded all files from the zip.

    Since then the Message is gone.

    bluetouff can you try and confirm it’s the same for you ?

    Hi,

    SirSatras, just did exactly like you did, i stil get the prompt.
    Even on a fresh install.

    I wrote a more complete description and the way i fixed it here : https://reflets.info/wordpress-4-2-tor-browsers-and-canvas-privacy-warning-prompt/

    Thread Starter James Kook

    (@sirsatras)

    It’s not a security issue.

    It’s a standard HTML5 tag being used legitimately in WordPress that some lousy people found a way to use as a tiny portion of barely identifying information.

    Tor has chosen to react the way they do because the Tor browser is designed to block all potentially identifying information. (which is kind of a moot point if you’re logging in to your account anyway)

    I understand that there is a legit use of this, but as people will have this “issue” with their Blog, most of the visitors will think they are beeing tracked and will stop visiting the Blog.

    I hope this “feature” will be changed for the Admin to be able to turn this off.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    most of the visitors will think they are beeing tracked and will stop visiting the Blog.

    By “most of the visitors” I assume you mean your visitors using the Tor browser? Because, none of the major browsers have a check like this, and Tor is an incredibly small minority.

    I hope this “feature” will be changed for the Admin to be able to turn this off.

    As already mentioned, you can “turn this off” by not using emoji/smilies or the embedded video player in your posts. Those rely on the <canvas> element, but you don’t have to use them.

    Thread Starter James Kook

    (@sirsatras)

    I wasn’t using TorBrowser when I got that warning.

    Standard Firefox

Viewing 15 replies - 1 through 15 (of 18 total)
  • The topic ‘Admin canvas tracking’ is closed to new replies.