Brave Browser Leak exposes user domain information for months

The Brave browser, which emphasizes privacy and security, has been leaking data for months, according to security researchers.

Reddit user “py4YQFdYkKhBK690mZql” posted on a forum Friday that Brave’s Tor mode, introduced in 2018, sends requests for .onion domains to DNS resolvers, rather than private Tor nodes. A DNS resolver is a server that converts domain names to IP addresses. This means that the .onion sites searched by Internet users, it being understood that these searches would be private, were not. In fact, they could be observed by centralized Internet Service Providers (ISPs).

Various privacy and security caption moderators refused to accept the post initially because they wanted more control over the claims.

“It was discovered by my partner in my startup, while we are working on an advertisement and VPN service blocking ‘BS’ (as well as other things as stated on the site),” py4YQFdYkKhBK690mZql said in a direct message. at CoinDesk. “He mentioned that he noticed it by observing his outgoing DNS traffic on his local network.”

The results were quickly confirmed by security researchers on Twitter. Following this, Brave confirmed that he was aware of the issue and pushed a security patch on the browser Friday night.

The leaks had been ongoing for months before Brave became aware of them, said Sean O’Brien, a senior researcher at ExpressVPN Digital Security Lab, who conducted additional research on the vulnerability and shared it exclusively with CoinDesk. Not only were .onion domain requests observable, but all domain requests in Tor tabs were observable as well, meaning that when a website uploaded content from YouTube, Google, or Facebook, all of those requests could be observed. observable, even if the content itself was not.

“An update to ad blocking in Brave browser introduced a vulnerability that exposed users to the browser’s most private feature – Tor windows and tabs,” said O’Brien. “Users of this Tor feature in Brave expected the websites they visit to be hidden from their ISPs, schools, and employers, but this domain information (DNS traffic) was revealed to the square.

A DNS leak creates a trail in the server logs that can be followed by law enforcement, hackers, or really anyone with high-level network access. Tor is a browser that enables anonymous communication by directing Internet traffic through a large overlay network, which conceals a user’s location and protects against network surveillance or traffic analysis. Privacy advocates such as Edward Snowden and others have advocated Tor as a valuable tool to protect against surveillance.

Those using the Tor mode service in the Brave browser expect their traffic to be protected against the exact type of DNS server logs that occurred as a result of this leak, which could reveal the websites. which they access.

“Basically your ISP would know if you have visited .onion websites and if they are tracking a log of all the websites you have visited, they might flag you as ‘suspect’,” said SerHack, pseudonymous security researcher. in a direct message.

The Tor Project, creator of the Tor browser, declined to comment for this piece.

“Brave warns users that their browser’s Tor windows and tabs do not offer the same level of privacy as the Tor browser, which is being developed directly by the Tor Project,” said O’Brien. “However, this DNS leak was correctly described as ‘blatant’ by the CSO of Brave. “

O’Brien has reviewed every version of the Brave Browser dating from its launch in late 2019.

While doing so, he discovered that the DNS leak first appeared in a fix for “Support CNAME adblocking # 11712”, which was introduced in the browser source code on October 14, 2020. It was included in the nightly release. from Brave browser that same day.

The Brave browser has two versions, a nightly version for developers and a stable version for ordinary users. Changes made to the night version are tested and then finally incorporated into the stable version.

Brave released the update containing the DNS leak vulnerability in the stable browser version on November 20, 2020.

The vulnerability was not reported until January 12, 2021, according to Github, via HackerOne. Brave released a fix for this in the February 4 nightly release, but until py4YQFdYkKhBK690mZq made the issue known on Reddit and was confirmed by other researchers, Brave had not released a fix for the stable version.

Brave pushed the stable build patch on Friday night, the same day reports of the issue were made public. CoinDesk has confirmed that the stable version of Brave no longer discloses information to DNS servers.

This means that for months, users who used Tor Mode knowing their traffic was private actually connected it to DNS servers, leaving behind a trail of their online activity. The stable version was fixed two weeks after the overnight build.

Overall, the nighttime version of Brave leaked for 113 days, while the stable version leaked for 91 days.

“This whole thing is such a frightening incident for people who want to protect their privacy,” SerHack said. “It looks like Brave hasn’t paid attention to all the details, and this episode should be a warning to us that one mistake could undo all privacy efforts.”

In response to questions about how long the issue lasts, the implications for users, and how Brave might ensure that something like this doesn’t happen in the future, Sidney Huffan, a spokesperson for Brave, released the statement. next:

“In mid-January 2021, we became aware of a bug that would allow a network attacker to see DNS queries made in a private Brave window with Tor connectivity. The root cause was a new ad blocking feature called adblocking CNAME which initiated DNS queries that did not go through Tor to see if a domain needed to be blocked.

“This bug was discovered and reported by xiaoyinl on HackerOne. We immediately responded to the report and included a fix for this vulnerability in the February 4, 2021 Nightly Update (https://github.com/brave/brave-core/pull/7769). As is our usual bugfixing process, we tested the changes nightly to make sure they weren’t causing regressions or other bugs before posting them to the stable channel. “

Huffman added that given the severity of the issue and the fact that it was now public (which makes it easier to exploit), they accelerated the timeline for this issue and released it on Friday.

He also noted that using a private window with Tor connectivity through Brave is not the same as using the Tor browser.

“If your personal security depends on anonymity, we strongly recommend that you use the Tor browser instead of the Brave Tor windows,” he said.

While recognition and quick resolution of the problem was a positive end result, examples like these serve as a reminder of the myriad of ways privacy can be compromised online, even when users think they are taking steps to be secure.

The high level of anonymity that Tor can provide has been shattered and this vulnerability could have allowed network intermediaries or attackers to spy on users and track the websites they visit, according to O’Brien.

“The good news is that content that has traveled the network, such as conversations or files, appears to have been protected by Tor,” he said. “Users in dangerous situations, however, could have been exposed to risks, especially if they acted less carefully, as they expected anonymity.”