Tor Browser Fails to Disable Dangerous Google Formats
Reprinted with permission from Ryan Farmer.
Tor Browser Enables WebP and AVIF by Default, In All Safety Modes.
Tor Browser is based on Mozilla Firefox, and as such inherits almost all of the same vulnerabilities, especially in the default Safety Slider mode, where nearly everything from Mozilla Firefox that can be used to attack your computer is enabled by default.
This mode is only appropriate to browse the Web if your safety isn’t really that important, and in which case, the only reason to use Tor Browser at all would be a censorship firewall or something.
When you turn the Safety Slider to Safer or Safest, it starts de-activating active content, such as certain fonts, video codecs, JavaScript, and WASMs.
However, even on the Safest setting, where almost all of this is disabled and you can pretty much only view static sites, such as the ones that people are _supposed_ to put on the deep and dark Web, Google’s WebP and AVIF image formats are still enabled.
As we saw about a month ago where all major browsers had the exact same zero-click-get-pwned bug and it turned out that the libwebp code is overly complex to the point of being nearly impossible to properly debug, and uniformly implements the same defects due to Google’s “throw code over the wall and fail to properly document how you would make a new implementation if you wanted to (a force of habit), and the stupid library being in all sorts of things that will take months or years to get patched, if they ever all do, we saw what a big mess the proliferation of substandard standards can really bring about.
Fortunately, Mozilla-based browsers (Firefox, SeaMonkey, Pale Moon, Waterfox, Floorp, LibreWolf, GNU IceCat, Tor Browser, and maybe others) allow you to disable WebP and AVIF in about:config.
Just search for image.webp.enabled and image.avif.enabled and double-click both of them to “false”.
You may end up with broken images on some sites. It’s up to you whether to do this.
“And now for a really bad lip reading of LKML and some AMD and Microsoft spam, with lotsa ads. Subscribe to PREMIUM Moronix!”
“Microsoft Larabel” at “Moronix” (Phoronix) pushed out WebP for everything except his benchmarks, which are still in SVG format.
Then he also failed to write anything about the WebP disaster. Hmmm. LOL
Possibly just too busy playing with the large shipment of free processors from AMD, and writing more spam and garbage promoting Windows, while he tells you to turn off your ad blocker so he won’t starve? 😉
But I would say that having all of this attack surface around so you can see images on “Moronix” and a couple of other pointless sites is too much, so off it goes, alongside my other browser lockdowns.
Reliable sources have informed this author that WebP and AVIF are “illegal” image formats in Discord, which means that they actually did make a good technical decision there. If you upload them, it rejects them immediately and won’t show them to anyone in the room, even if you use their Electron-based “app”.
WebP and AVIF are basically an outsourcing issue.
Site owners push WebP on you to save 0.1% of some bloated Web App, and then it’s your computer that has to expend extra resources for them to save 3 KB.
Honestly, most Web images are trash, but over 99.8% of them are still JPEG, PNG, and GIF.
At this point, there’s just the occasional nasty site like Reddit or Moronix that pushes some on you, in my observation, and there are ways to provoke Reddit to always hand you a real JPEG instead of Google’s nuisance format.
WebP is an extremely unfortunate situation. You couldn’t design an image format to have zero days that are almost impossible to find better than WebP or AVIF if you tried.
My guess is, the FBI and other agencies who want to unmask Tor users or put malicious software on their machines, are almost certainly looking through these (mainly) Google codecs looking for bugs and sitting on them. That these image codecs are at least part of a chain in a watering hole attack site set up as Tor hidden services.
The browser vendors like Mozilla and Google are working hard, very hard, to make sure that you can never break the chain. (To borrow something from Fleetwood Mac.)
If they put in lousy stinking feature full of bugs “A”, then you, the user, may just flip it back off.
If they put in A, B, C, D, E, F, G, and you don’t turn any of them off, there’s all kinds of potential.
If you turn off A, D, and part of F, they can still attack you.
You need to get this thing down to the rafters and take away as much of their useful attack surface as possible.
In fact, in the case of these newer Google image formats I would say if you are using Tor and something wouldn’t load because it was a WebP, you’ve most likely stumbled into a watering hole. They can bait you in, feed this thing garbage, and as soon as the page loads, it’s too late.
To infect iPhones and Androids with Pegasus malware, all you had to do was look at an incoming text message.
“When I look at this, what the Pegasus Project has revealed is a sector where the only product are infection vectors, right? They don’t—they’re not security products. They’re not providing any kind of protection, any kind of prophylactic.”
-Edward Snowden“They don’t make vaccines. The only thing they sell is the virus.”
Almost nobody is going to legitimately upload a WebP because nothing shoots to WebP, and almost no user has any idea what they are, unless they come across some bullshit Reddit transcode job that looks like smudgy crap. Then they’re usually posting to forums trying to figure out how to “trick” the server into sending a real JPEG, or resort to converting it back themselves.
As far as I’m concerned, probably the only reason Google threw these things on the Web is for agencies to write more attack code, as these agencies and their contractors are always hoarding more “Nobody But Us” vulnerabilities to weaponize, instead of turning them over to be fixed.
They only ever stand to benefit from complexity and bloat, even if the aim of a vendor was not malicious.
In the past, the agencies have relied on social engineering, like telling people to install Flash or Java, or to download malicious executables and run them, or malformed video files. They’ve also lured away Tor developers and paid them as consultants to tell them how to attack it.
Who needs that anymore? If Google shits something out, Mozilla gobbles it up, and the next time Tor swallows a Firefox ESR, you’ve got another “mole” in Tor Browser.
That’s really the big bonus in making these huge browsers full of redundant and ill-advised garbage and making them impossible to fix. The agencies can attack pretty much anyone at-will now, on the Web or otherwise.
This problem gets worse all the time, while security posers, like a carnival barker, tell us the issue is not bloated coding horrors, but that we need locked down computers that attack the user. It’s a misdirection. █