The Brave browser, which emphasizes privacy and security, has been leaking data for several months, according to security researchers.
On Friday, Reddit user posted “py4YQFdYkKhBK690mZql” on a forum that Braves Tor mode, introduced in 2018, sent requests for .onion domains to DNS resolvers, instead of private Tor nodes. A DNS resolver is a server that converts domain names into IP addresses. This means that the .onion sites people searched for, with the understanding that these searches would be private, were not. In fact, they could be observed by centralized ISPs.
Various moderators for reducing privacy and security refused to accept the post at first, as they wanted more consideration of the allegations.
“It was discovered by my partner at startup, as we are working on an ad and”
The findings were quickly confirmed by security researchers on Twitter. After this, Brave confirmed that they were aware of the problem, and pushed a security update to the browser on Friday night.
The leaks had been going on for several months before Brave became aware of them, said Sean O’Brien, lead researcher at ExpressVPN Digital Security Lab, which conducted further research on the vulnerability and shared it exclusively with CoinDesk. Not only were .onion domain requests observable, but so were all domain requests in Tor tabs, which means that when a site loaded content from YouTube, Google or Facebook, all of these requests could be observable, even if the content itself was not.
“An update to adblocking in the Brave browser introduced a security issue that revealed users of the browser’s most private feature – Tor windows and tabs,” said O’Brien. Users of this Tor feature in Brave expected to have the websites they visit hidden from their ISPs, schools and employers, but that the domain (DNS traffic) was revealed instead.
DNS leaks and Brave’s vulnerability timeline
A DNS leak creates a path in server logs that can be tracked by law enforcement, hackers or virtually anyone with high-level network access. Tor is a browser that enables anonymous communication by directing Internet traffic through a large overlay network, which hides a user’s location and protects against network monitoring or traffic analysis. Privacy advocates such as Edward Snowden and others have advocated for Tor as a valuable tool for protecting against surveillance.
Those who use the Tor mode service in the Brave browser expect their traffic to be protected from exactly the kind of DNS server logs that occurred as a result of this leak, which could reveal which websites they have access to.
“Basically, your ISP wanted to know if you had visited .onion sites, and if they track a log of all the sites you visited, they may report you as ‘suspicious,'” pseudonymous security researcher SerHack said in a direct message.
Tor Project, producers of the Tor browser, declined to comment on this piece.
“Brave warns users that Tor windows and tabs in the browser do not provide the same level of privacy as Tor Browser, which was developed directly by the Tor project,” said O’Brien. “However, this DNS leak was correctly described as ‘egregious’ by Brave’s CSO.”
O’Brien examined each version of the Brave browser that dates back to its launch in late 2019.
By doing this, he found that the DNS leak first appeared in an update for “Support CNAME adblocking # 11712”, which was introduced to the source code of the browser on October 14, 2020. It was included in the brave browser of the browser the same day .
The Brave browser has two versions, a nightly build that is for developers and a stable build that is for regular users. Changes made in the night construction are tested and then finally incorporated into the stable building.
Brave released the update that contains the vulnerability for DNS leakage to the browser’s stable version on November 20, 2020.
The vulnerability was not reported until January 12, 2021, according to Github, via HackerOne. Brave released a solution for it in the night building on February 4, but until py4YQFdYkKhBK690mZq published the problem on Reddit, and it was confirmed by other researchers, Brave had not issued a solution for the stable building.
Brave pushed the stable building fix on Friday night, the same day reports on the problem were published. CoinDesk has confirmed that the stable version of Brave no longer leaks information to DNS servers.
This means that for several months users using Tor mode with the understanding that the traffic was private, it had in fact logged on to DNS servers and left a trace of their online activity. The stable building was vacated two weeks after the night building.
Overall, the nocturnal brave building leaked for 113 days, while the stable building did for 91 days.
“This whole thing is such a scary event for people who want to protect their privacy,” SerHack said. “It seems that Brave did not pay attention to every detail, and this episode should warn us that a single mistake can undo all privacy efforts.”
In response to questions about how long this had been a problem, what the implications were for users and how Brave could ensure that such a thing did not happen in the future, Sydney Huffman, a spokesperson for Brave, made the following statement:
“In mid-January 2021, we were alerted to an error that allowed a network attacker to view DNS requests made in a private window in the Brave with Tor connection. The reason was a new adblocking feature called CNAME adblocking that initiated DNS requests that did not go through Tor to check if a domain should be blocked.
This bug was discovered and reported by xiaoyinl on HackerOne. We responded immediately to the report and included a solution to this vulnerability on February 4, 2021, updating every night (https://github.com/brave/brave-core/pull/7769). As is our usual bug fix process, we have tested the changes at night to make sure they did not cause regressions or other bugs before dropping into the stable channel. ”
Huffman added that given the severity of the problem and the fact that it was now public (and thus made it easier to exploit), they accelerated the timeline for this issue and released it on Friday.
She also noted that using a private window with Tor connection through Brave is not the same as using Tor Browser.
“If your personal security depends on being anonymous, we strongly recommend using Tor Browser instead of Brave Tor windows,” she said.
While acknowledging and quickly repairing the problem was a positive end result, cases like these serve as a reminder of the many ways that privacy can be compromised online, even when users think they are taking steps to be safe.
The high level of anonymity that Tor can offer was destroyed, and this vulnerability may have allowed network brokers or attackers to sniff out users and track which websites they visit, according to O’Brien.
“The good news is that content that traveled across the network, such as calls or files, appears to have been protected by Tor,” he said. “However, users in dangerous situations could have been put at risk, especially if they acted with less caution because they expected anonymity.”