The Brave browser, which emphasizes privacy and security, has been leaking data for months, according to security researchers.
On Friday, Reddit user “py4YQFdYkKhBK690mZql” posted in a forum that Brave’s Tor mode, introduced in 2018, sent requests for .onion domains to DNS resolvers, rather than private Tor nodes. A DNS resolver is a server that converts domain names to IP addresses. This means that the .onion sites that people searched, with the understanding that those searches would be private, were not. In fact, they could be observed by centralized Internet service providers (ISPs).
Several privacy and security subreddit moderators declined to accept the post initially as they wanted more investigation of the claims.
“It was discovered by my partner at my startup, while we are working on an advertisement and a ‘BS’ blocking VPN service (as well as other things, as shown on the site),” py4YQFdYkKhBK690mZql said in a direct message to CoinDesk. “He mentioned noticing it while looking at your outgoing DNS traffic on his local network.”
The leaks had been ongoing for months before Brave became aware of them, said Sean O’Brien, principal investigator at ExpressVPN Digital Security Lab, who conducted further research on the vulnerability and shared it exclusively with CoinDesk. Not only were .onion domain requests observable, but also all domain requests in Tor tabs, meaning that when a website loaded content from YouTube, Google, or Facebook, all of those requests could be observable, even if the content itself was not.
“An update to ad blocking in the Brave browser introduced a vulnerability that exposed users to the browser’s most private function – Tor windows and tabs,” O’Brien said. “Users of this Tor feature in Brave expected to have the websites they visit hidden from their ISPs, schools and employers, but that domain information (DNS traffic) was revealed.
DNS leaks and Brave vulnerability timeline
A DNS leak creates a trail in server logs that can be followed by law enforcement, hackers, or anyone with high-level network access. Tor is a browser that enables anonymous communication by directing Internet traffic over a large overlay network, which hides the user’s location and protects against network surveillance or traffic analysis. Privacy advocates like Edward Snowden and others have advocated for Tor as a valuable tool to protect against surveillance.
Those who use the Tor mode service in the Brave browser hope that their traffic is protected against exactly the type of DNS server records that were produced as a result of this leak, which could reveal which websites they are accessing.
“Basically your ISP would know if you have visited .onion websites and if you track a log of all the websites you visited, they could report you as ‘suspicious,'” pseudonymous security researcher SerHack said in a direct message.
Tor Project, the makers of the Tor browser, declined to comment on this piece.
“Brave cautions users that the Tor windows and tabs in their browser do not provide the same level of privacy as the Tor browser, which is developed directly by the Tor Project,” O’Brien said. “However, this DNS leak is described as ‘atrocious’ by Brave CSO “.
O’Brien reviewed every version of the Brave browser dating back to its release in late 2019.
In doing so, he discovered that the DNS leak first appeared in a patch for “CNAME Support Adblocking # 11712”, which was introduced into the browser source code on October 14, 2020. It was included in the browser’s nightly build Brave that same day.
The Brave browser has two versions, a nightly build for developers and a stable build for normal users. Changes made to the overnight build are tested and then finally incorporated into the stable build.
Brave released the update containing the DNS leak vulnerability to the stable version of the browser on November 20, 2020.
The vulnerability was not reported until January 12, 2021, according to Github, via HackerOne. Brave released a fix for it on the nightly build on February 4, but until py4YQFdYkKhBK690mZq posted the issue on Reddit and it was confirmed by other researchers, Brave hadn’t posted a fix for the stable build.
Brave pushed the fix to the stable build on Friday night, the same day reports of the issue were released. CoinDesk has confirmed that the stable version of Brave no longer leaks information to DNS servers.
This means that for months, users who used Tor mode with the understanding that their traffic was private, in fact, logged it to DNS servers, leaving a trace of their online activity. The stable build was corrected two weeks after the night build.
Overall, the nightly version of Brave leaked for 113 days, while the stable version leaked for 91 days.
“This is all such a scary incident for people who want to protect their privacy,” SerHack said. “It appears that Brave didn’t pay attention to all the details, and this episode should warn us that a single mistake could nullify all privacy efforts.”
Responding to questions about how long it has been a problem, what the implications were for users, and how Brave could ensure that something like this does not happen in the future, Sidney Huffan, a spokesperson for Brave, issued the following statement:
“In mid-January 2021, we learned of a bug that would allow a network attacker to view DNS requests that were made in a private window on Brave with Tor connectivity. The main cause was a new ad blocking feature called CNAME ad blocking that started DNS requests that did not go through Tor to check if a domain should be blocked.
“This bug was discovered and reported by xiaoyinl on HackerOne. We responded immediately to the report and included a fix for this vulnerability in the February 4, 2021 nightly update (https://github.com/brave/brave-core/pull/7769). As is our usual process for bug fixes, we have been testing the changes every night to make sure they didn’t cause regressions or other bugs before releasing them to the stable channel. “
Huffman added that given the severity of the issue and the fact that it was now public (making it easy to exploit), they sped up the schedule for this issue and released it on Friday.
He also pointed out that using a private window with Tor connectivity through Brave is not the same as using the Tor browser.
“If your personal safety depends on remaining anonymous, we recommend that you use the Tor browser instead of the Brave Tor windows,” he said.
While the acknowledgment and quick fix for the problem was a positive end result, instances like these serve as a reminder of the multitude of ways privacy can be compromised online, even when users think they are taking steps to be safe. .
The high level of anonymity Tor can provide was broken, and this vulnerability could have allowed network intermediaries or attackers to spy on users and track the websites they visit, according to O’Brien.
“The good news is that content that traveled over the network, such as conversations or files, appears to have been protected by Tor,” he said. “However, users in dangerous situations could have been at risk, especially if they acted less cautiously because they expected anonymity.”