Jump to content

Invision Community 4.5 Upgrade


Pleeb

Recommended Posts

1 hour ago, Ido said:

Same image:

 

Uploaded normally in Tor Browser

[ Image ]

 

With HTML canvas data extraction allowed (click on the image icon on the left side of the url box before the https://)

[ Image ]

 

No idea why this is necessary, generally the forum asks for html canvas data when logged in, probably for device identification. Well, It's not a security risk for Tor users since this data is randomized at each reload, hence the different image colors. But for normal users it may be used to link an uploaded image to a uniquely identifiable user. That's pretty intrusive.

Canvas data isn't a problem between reloads; The issue is that you can identify a particular graphics card by drawing a certain few lines or something, and the result will appear identical but the exact pixel values are unique to each graphics card & configuration.

I don't visit as often as I used to. If you want me to see something, make sure to quote a post of mine or ping me @jean-luc

Link to comment
Share on other sites

  • Replies 28
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Bear says he doesn't see a way to check his notifications or messages 

817dcce382edc68a6e574608babcc919.jpg

 

(I haven't checked on my own phone if there's a way, just relaying what Bear said)

Hi! I'm Lumi, host of Reisen, Tewi, Flandre and Lucilyn.

Everyone deserves to love and be loved. It's human nature.

My tulpas and I have a Q&A thread, which was the first (and largest) of its kind. Feel free to ask us about tulpamancy stuff there.

Link to comment
Share on other sites

@jean-luc

This is correct for unprotected users.

 

Tor browser generates a randomized output of these pixel values with each reload as tracking protection, but this inevitably messes up the canvas. If I upload the same pic 5 times I get 5 different colored patterns but no image.

 

You can test your canvas fingerprint at https://amiunique.org/

 

spacer.png

 

The first two are reloads with the Tor Browser canvas protection on resulting in an unique pattern of stripes which changes every time and hence is useless for tracking. The last is how a canvas looks for a normal user with protection off, it always stays the same unless you fundamentallly change your device. Not totally unique but almost due to OS, hardware and driver dependency.

 

The same should be achievable with addons like canvas blocker but it tends to break even more websites.

 

The question still remains - why is this stuff needed for image upload? I do not think it was implemented with malicious intent, it probably is some 'feature' for resizing or cropping images.

 

Well anyway I doubt there are more than 2 forum users affected and we can easily circumvent this. Still would ask the invision community why this was implemented and if it is really necessary. There should at least be some fallback mechanism in case canvas data is unavailable. The more websites depend on this the harder tracking protection becomes.

Super Girls don't cry

Link to comment
Share on other sites

Everything on the top right menu (Messages, Notifications, User Menu etc.) require a superfluous extra click to activate for some reason. I have to click once, which does nothing, before clicking again, for any UI to show up

Hi! I'm Lumi, host of Reisen, Tewi, Flandre and Lucilyn.

Everyone deserves to love and be loved. It's human nature.

My tulpas and I have a Q&A thread, which was the first (and largest) of its kind. Feel free to ask us about tulpamancy stuff there.

Link to comment
Share on other sites

11 hours ago, Luminesce said:

Everything on the top right menu (Messages, Notifications, User Menu etc.) require a superfluous extra click to activate for some reason. I have to click once, which does nothing, before clicking again, for any UI to show up

Does it happen on the light theme for you?

 

And yeah I’m not seeing the notifications options at all on dark theme

EDIT: Does this happen in mobile?  I'm only seeing that happen when I'm on mobile rather than desktop (it looks like it happens when there's no longer room for the notification to appear).

 

If you're on desktop, could I get a screenshot?

Spoiler

An image in a signature behind a hidden tag! 

image.png.4b4fd4a211261c307de1fb4de85312d6.png

 

Link to comment
Share on other sites

On 1/8/2021 at 5:12 PM, Ido said:

Same image:

 

Uploaded normally in Tor Browser

695759871_Cirnostronk.thumb.jpg.9abe2a52bdba664e8797ea7940f3f128.jpg

 

With HTML canvas data extraction allowed (click on the image icon on the left side of the url box before the https://)

1681451734_Cirnostronk.thumb.jpg.86a165ef373917c969371725a25ea941.jpg

 

No idea why this is necessary, generally the forum asks for html canvas data when logged in, probably for device identification. Well, It's not a security risk for Tor users since this data is randomized at each reload, hence the different image colors. But for normal users it may be used to link an uploaded image to a uniquely identifiable user. That's pretty intrusive.

Does this happen via copy/paste into a reply / drag files to attach?  Does it happen if you manually upload through the "choose files" option?

 

I tried looking through the source code, one thing it's using canvas data for (which is probably what it was being used for previously) is in its use to see if emjois can be drawn on the canvas before it draws an emoji.  It does some kind of pre-test where it draws an emoji on the canvas, then draws an invalid character on the canvas, and compares the two somehow with getImageData, then it clears the canvas and then continues rendering the emoji.

 

As for the image uploads, it may be using the canvas data to get it from the clipboard, or in some other validation / legitimate image processing.

Spoiler

An image in a signature behind a hidden tag! 

image.png.4b4fd4a211261c307de1fb4de85312d6.png

 

Link to comment
Share on other sites

I feel like I'm in the Twilight Zone or something, I never got switched to the light theme, and the dark theme isn't having many of the glitches people are talking about for me either.

 

6XKIY0T.png

 

Tested, opened in one click on light theme but still took two when I switched back to dark

Hi! I'm Lumi, host of Reisen, Tewi, Flandre and Lucilyn.

Everyone deserves to love and be loved. It's human nature.

My tulpas and I have a Q&A thread, which was the first (and largest) of its kind. Feel free to ask us about tulpamancy stuff there.

Link to comment
Share on other sites

14 hours ago, Pleeb said:

Does this happen via copy/paste into a reply / drag files to attach?  Does it happen if you manually upload through the "choose files" option?

 

I usually upload images manually but regardless of the method, results are the same.

I will just upload images to a filehost from now on.

 

Still curious what changed compared to the previous version where image upload worked without canvas data.

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...