[wp-trac] [WordPress Trac] #44247: The ability to extract HTML5 canvas image data should be disabled by default in WordPress-based websites

WordPress Trac noreply at wordpress.org
Sun May 27 20:54:32 UTC 2018 

#44247: The ability to extract HTML5 canvas image data should be disabled by
default in WordPress-based websites
--------------------------+-----------------------------
 Reporter:  nzflagmaven   |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Privacy       |    Version:  4.9.6
 Severity:  major         |   Keywords:  needs-patch
  Focuses:                |
--------------------------+-----------------------------
 References:
 (1) Closed help topic at https://wordpress.org/ideas/topic/prevent-
 wordpress-websites-from-performing-html5-canvas-fingerprinting
 (2) Closed Trac ticket #32138 at
 https://core.trac.wordpress.org/ticket/32138
 (3) Wikipedia topic 'Canvas fingerprinting' at
 https://en.wikipedia.org/wiki/Canvas_fingerprinting
 (4) Wikipedia topic 'Device fingerprint' at
 https://en.wikipedia.org/wiki/Device_fingerprint
 (5) Wikipedia topic 'WordPress' (Vulnerabilities section) at
 https://en.wikipedia.org/wiki/WordPress

 The little-known ability of WordPress-based websites to extract HTML5
 canvas image data may be of considerable worth to intelligence services,
 to hackers, and to certain WP plugins, but it can only be considered
 utterly vile to users who value not only their own privacy but that of
 visitors to their websites.

 That WordPress websites have this built-in feature, capable of being used
 to uniquely 'fingerprint' the physical devices of visitors, and enabled by
 default, with no 'off' switch available save PHP file editing, may
 actually border on criminal now that the EU GDPR has gone live.

 Even if future core releases provide a settings 'disable' for this
 feature, preferably ticked by default, WordPress websites that want to use
 it should be required to secure the informed permission of their visitors.

 Minimize it, euphemize it, call it a 'non-bug', or find some other
 pretense to shrug off this privacy issue, but expect some fallout when the
 general media gets wind of it, particularly the EU media, and of your
 having been apprised of it more than three years ago but continuing to
 ignore it.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44247>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list