Bonum Certa Men Certa

Tor Browser Fails to Disable Dangerous Google Formats

posted by Roy Schestowitz on Oct 07, 2023

Software Update

Reprinted with permission from Ryan Farmer.

Tor Browser Enables WebP and AVIF by Default, In All Safety Modes.

Tor Browser is based on Mozilla Firefox, and as such inherits almost all of the same vulnerabilities, especially in the default Safety Slider mode, where nearly everything from Mozilla Firefox that can be used to attack your computer is enabled by default.

This mode is only appropriate to browse the Web if your safety isn’t really that important, and in which case, the only reason to use Tor Browser at all would be a censorship firewall or something.

When you turn the Safety Slider to Safer or Safest, it starts de-activating active content, such as certain fonts, video codecs, JavaScript, and WASMs.

However, even on the Safest setting, where almost all of this is disabled and you can pretty much only view static sites, such as the ones that people are _supposed_ to put on the deep and dark Web, Google’s WebP and AVIF image formats are still enabled.

As we saw about a month ago where all major browsers had the exact same zero-click-get-pwned bug and it turned out that the libwebp code is overly complex to the point of being nearly impossible to properly debug, and uniformly implements the same defects due to Google’s “throw code over the wall and fail to properly document how you would make a new implementation if you wanted to (a force of habit), and the stupid library being in all sorts of things that will take months or years to get patched, if they ever all do, we saw what a big mess the proliferation of substandard standards can really bring about.

Fortunately, Mozilla-based browsers (Firefox, SeaMonkey, Pale Moon, Waterfox, Floorp, LibreWolf, GNU IceCat, Tor Browser, and maybe others) allow you to disable WebP and AVIF in about:config.

Just search for image.webp.enabled and image.avif.enabled and double-click both of them to “false”.

You may end up with broken images on some sites. It’s up to you whether to do this.

“And now for a really bad lip reading of LKML and some AMD and Microsoft spam, with lotsa ads. Subscribe to PREMIUM Moronix!”

“Microsoft Larabel” at “Moronix” (Phoronix) pushed out WebP for everything except his benchmarks, which are still in SVG format.

Then he also failed to write anything about the WebP disaster. Hmmm. LOL

Possibly just too busy playing with the large shipment of free processors from AMD, and writing more spam and garbage promoting Windows, while he tells you to turn off your ad blocker so he won’t starve? 😉

But I would say that having all of this attack surface around so you can see images on “Moronix” and a couple of other pointless sites is too much, so off it goes, alongside my other browser lockdowns.

Reliable sources have informed this author that WebP and AVIF are “illegal” image formats in Discord, which means that they actually did make a good technical decision there. If you upload them, it rejects them immediately and won’t show them to anyone in the room, even if you use their Electron-based “app”.

WebP and AVIF are basically an outsourcing issue.

Site owners push WebP on you to save 0.1% of some bloated Web App, and then it’s your computer that has to expend extra resources for them to save 3 KB.

Honestly, most Web images are trash, but over 99.8% of them are still JPEG, PNG, and GIF.

At this point, there’s just the occasional nasty site like Reddit or Moronix that pushes some on you, in my observation, and there are ways to provoke Reddit to always hand you a real JPEG instead of Google’s nuisance format.

WebP is an extremely unfortunate situation. You couldn’t design an image format to have zero days that are almost impossible to find better than WebP or AVIF if you tried.

My guess is, the FBI and other agencies who want to unmask Tor users or put malicious software on their machines, are almost certainly looking through these (mainly) Google codecs looking for bugs and sitting on them. That these image codecs are at least part of a chain in a watering hole attack site set up as Tor hidden services.

The browser vendors like Mozilla and Google are working hard, very hard, to make sure that you can never break the chain. (To borrow something from Fleetwood Mac.)

If they put in lousy stinking feature full of bugs “A”, then you, the user, may just flip it back off.

If they put in A, B, C, D, E, F, G, and you don’t turn any of them off, there’s all kinds of potential.

If you turn off A, D, and part of F, they can still attack you.

You need to get this thing down to the rafters and take away as much of their useful attack surface as possible.

In fact, in the case of these newer Google image formats I would say if you are using Tor and something wouldn’t load because it was a WebP, you’ve most likely stumbled into a watering hole. They can bait you in, feed this thing garbage, and as soon as the page loads, it’s too late.

To infect iPhones and Androids with Pegasus malware, all you had to do was look at an incoming text message.

“When I look at this, what the Pegasus Project has revealed is a sector where the only product are infection vectors, right? They don’t—they’re not security products. They’re not providing any kind of protection, any kind of prophylactic.”

“They don’t make vaccines. The only thing they sell is the virus.”

-Edward Snowden

Almost nobody is going to legitimately upload a WebP because nothing shoots to WebP, and almost no user has any idea what they are, unless they come across some bullshit Reddit transcode job that looks like smudgy crap. Then they’re usually posting to forums trying to figure out how to “trick” the server into sending a real JPEG, or resort to converting it back themselves.

As far as I’m concerned, probably the only reason Google threw these things on the Web is for agencies to write more attack code, as these agencies and their contractors are always hoarding more “Nobody But Us” vulnerabilities to weaponize, instead of turning them over to be fixed.

They only ever stand to benefit from complexity and bloat, even if the aim of a vendor was not malicious.

In the past, the agencies have relied on social engineering, like telling people to install Flash or Java, or to download malicious executables and run them, or malformed video files. They’ve also lured away Tor developers and paid them as consultants to tell them how to attack it.

Who needs that anymore? If Google shits something out, Mozilla gobbles it up, and the next time Tor swallows a Firefox ESR, you’ve got another “mole” in Tor Browser.

That’s really the big bonus in making these huge browsers full of redundant and ill-advised garbage and making them impossible to fix. The agencies can attack pretty much anyone at-will now, on the Web or otherwise.

This problem gets worse all the time, while security posers, like a carnival barker, tell us the issue is not bloated coding horrors, but that we need locked down computers that attack the user. It’s a misdirection.

Other Recent Techrights' Posts

Bloodlust and Love of Blades (Fascination With Murder) Nothing New Among Microsofters
Violence is not a joke and no group is magically entitled to make such "jokes"
Links 01/06/2025: Bird Flu, Food Price Inflation, and Growing US-China Hostilities
Links for the day
Links 01/06/2025: "Vibe Coding" Turns Out to be a Fraud and Amazon Merits Boycott, Argue Bloggers
Links for the day
Gemini Links 01/06/2025: "Stardust" and Ideal PC Setup
Links for the day
Links 01/06/2025: Windows TCO, Openwashing, "It's FOSS" Still Promoting Microsoft
Links for the day
Gemini Links 01/06/2025: Simplification and Networks Everywhere
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, May 31, 2025
IRC logs for Saturday, May 31, 2025
Google Bribes EFF. EFF Promotes LLM Slop as 'Fair Use'. To GAFAM It's a Low-Cost Lobby Hedge.
So the bribes pay off ("slush fund") and the word spreads
Slopwatch: Fake Text and Images, Financial Bubbles, and Scams in "Intelligent" Clothing
Sometimes what they mean by "AI" is just cheap labour somewhere else, as we discussed in IRC a few hours ago
Why Microsoft is Collapsing (Similar to What's Happening at IBM), As Insiders See It
IBM seems like one heck of a mess
Reliable Computing Means Free (Libre) Computing
Sites that want to promote security ought to deal with the biggest issues
Links 31/05/2025: US Court Orders Sides With RFE/RL, War Updates From Ukraine
Links for the day
Gemini Links 31/05/2025: ARM Server and power_supply Subsystem
Links for the day
Links 31/05/2025: Slop Stigmatised as Disinformation, Catalyst/Driver of "Death of Communication"
Links for the day
Common Sense 101: Do Not Write Blog Posts Saying You Want to Murder Colleagues (or Yourself)
Only crazy people would think stabbings are a joke
Microsoft Bankruptcy
"Microsoft unit in Russia to file for bankruptcy, database shows"
Techrights Does Not Compete With LLM Slop, It Exposes the Bastards, Plagiarists and Scammers Who Do That
People like Scam Altman, still facing a lawsuit from his own sister for sexual abuse against her
Links 31/05/2025: Microsoft-Connected Builder.ai is a Fraud and US is Purging Students Based on Race/Nationality
Links for the day
Gemini Links 30/05/2025: Limmat, Doomscrollers, and Arguments Parsing
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, May 30, 2025
IRC logs for Friday, May 30, 2025
The "AI" (Slop) Bubble Already Popped, But It's Not an Overnight Collapse
where Microsoft put its money
No More Steven Astorino at IBM, Chatter About Weekly/Nonstop Layoffs at IBM
What happened? Good luck guessing.
Looking at Corruption in Europe, Going Beyond the EPO
Expect a new series to kick off very soon
Slopwatch: Security SPAM and LLM Slop for SEO and FUD Purposes, Perpetually Tarnishing the Perception of Linux and (Open)SSH Security
A lot of this Fear, Uncertainty, Doubt (FUD) comes from Microsoft and its LLMs
Links 30/05/2025: Google's LLM Slop Pushers Are Killing Journalism and Shira Perlmutter Fails to Stop Bribed Regime From Legalising Plagiarism (in "AI" Clothing)
Links for the day
Links 30/05/2025: Offline Arts and "Threshold of Patience"
Links for the day
Signing Off Serious Lies With a Statement of Truth is No Joking Matter
It's not hard to see what's happening here
Links 30/05/2025: LLM Slop Already Ingests and Vomits Its Own Garbage, Facebook Exec Admits Copyrights a Concern Too
Links for the day
Mass Layoffs at Microsoft Result in More Whistleblowers From Microsoft
Microsoft's predatory pricing is further
Slopwatch: Planet Ubuntu Became LLM Slop and Some People Fail to See the Immorality of Plagiarism
it lessens the incentive for people to publish real articles
EPO Poll: 68% Dissatisfied With Quality of Slop (Wrongly Framed as "AI") for Patent Classification
Slop does not work, it's just falsely advertised with extra hype (funded by slop pushers that sponsor the major media)
Big Crowds Gather to Learn About Software Freedom From the Man Who Started GNU/Linux in 1983
"It was a great success"
Microsoft Layoffs Again in Bay Area
Microsoft relies on people's false belief that being "in LinkedIn" will get you a job; well, seems like even working inside LinkedIn really sucks and you lose the job
Gemini Links 30/05/2025: Fighting Against the Bad News, and Slop is Dehumanisation Disguised as "Intelligence"
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, May 29, 2025
IRC logs for Thursday, May 29, 2025