The Brave browser, which emphasizes privacy and security, has been leaking data for months, according to security researchers.
Reddit user ‘py4YQFdYkKhBK690mZql’ posted on a forum on Friday that Brave’s Tor mode, launched in 2018, sent requests for .onion domains to DNS resolvers, rather than private Tor nodes. A DNS resolver is a server that converts domain names into IP addresses. This means that the .onion sites that people searched for, with the understanding that the searches would be private, were not. In fact, it can be observed by central internet service providers (ISPs).
Several moderators of privacy and security who are under-edited initially did not refuse to accept the post because they wanted to investigate the claims more.
“It was discovered by my partner during my inception, as we were working on an ad and ‘BS’ blocking VPN service (as well as other things, as indicated on the website), ‘ said. “He mentions that he noticed this while observing his outgoing DNA traffic on his local network.”
The findings were quickly confirmed by security researchers on Twitter. Following this, Brave confirmed that they were aware of the issue, and security level to the browser Friday night.
The leaks took months before Brave became aware of them, says Sean O’Brien, lead researcher at ExpressVPN Digital Security Lab, who did further research on the vulnerability and shared it exclusively with CoinDesk. Not only .onion domain requests were not only observable, but also all domain requests in Tor tabs, which means that when a site loads content from YouTube, Google or Facebook, all the requests could be observable, even if the content was not .
” An ad blocking update in the Brave browser has introduced a vulnerability that exposes users to the most private feature of the browser – Tor windows and tabs, ” O’Brien said. ‘Users of this Tor feature in Brave expected that the websites they visited would be hidden from their ISPs, schools and employers, but that domain information (DNA traffic) would be revealed instead.
DNA leaks and the timeline of Brave’s vulnerability
A DNA leak creates a trail in server logs that can be tracked by law enforcement, hackers or really anyone who has high level network access. Tor is a browser that enables anonymous communication by guiding Internet traffic through a large overlay network, which hides the user’s location and protects against network monitoring or traffic analysis. Proponents of privacy like Edward Snowden and others have advocated Tor as a valuable tool to protect against surveillance.
Those who use the Tor mode service in the Brave browser expect their traffic to be protected from exactly the kind of DNA server logs that have occurred as a result of this leak, which may reveal which websites they are visiting.
“In principle, your ISP would know if you have visited .onion sites and if they track a log of all the sites you have visited, they may report you as ‘suspicious,'” pseudonymous security researcher SerHack said in an instant message said.
The Tor Project, makers of the Tor browser, declined to comment on this piece.
“Brave warns users that Tor windows and tabs in its browser do not offer the same level of privacy as Tor Browser, which was developed directly by the Tor project,” said O’Brien. ‘However, this DNA leak was properly described as ‘severe’ by Brave’s CSO. ”
O’Brien has been researching every version of the Brave browser since its launch at the end of 2019.
Thus, he found that the DNA leak first appeared in a patch for ‘Support CNAME adblocking # 11712’, which was launched on 14 October 2020 in the browser of the browser. the same day.
The Brave browser has two versions, a nocturnal build for developers and a stable build for regular users. Changes made in the night building are tested and then finally incorporated into the stable building.
Brave introduced the update on November 20, 2020 with the vulnerability of DNA leaks to the stable version of the browser.
According to Github via HackerOne, the vulnerability was only reported on January 12, 2021. Brave unveiled a solution to it in the night building on February 4, but until py4YQFdYkKhBK690mZq announced the problem on Reddit and it was confirmed by other researchers, Brave had not yet released a solution for the stable building.
Brave boosted the stable construction solution on Friday night, and reports of the problem were released the same day. CoinDesk has confirmed that the stable build of Brave is no longer leaking information to DNA servers.
This means that users who have been using Tor mode for months have actually logged on to DNS servers, leaving a trace of their online activity. The stable building was repaired two weeks after the night construction.
Overall, the Brave building leaked every night for 113 days, while the stable construction did so for 91 days.
“This whole thing is such a scary incident for people who want to protect their privacy,” SerHack said. “Brave does not seem to have paid attention to all the details, and this episode should warn us that a single mistake can nullify all attempts at privacy.”
Brave’s response
In response to questions about how long this had been a problem, what the implications were for users and how Brave could ensure that such a thing did not happen in the future, Brave spokeswoman Sidney Huffan issued the following statement:
‘In mid-January 2021, we were made aware of an error enabling a network attacker to see DNA requests made in a private window in Brave with Tor connection. The main reason was a new adblocking feature called CNAME adblocking that initiated DNA requests that did not go through Tor, to see if a domain needed to be blocked.
‘This bug was discovered and reported by xiaoyinl on HackerOne. We responded immediately to the report and updated a solution to this vulnerability on February 4, 2021, every night (https://github.com/brave/brave-core/pull/7769). Just like our usual bug fixing process, we tested the changes overnight to make sure they did not cause regressions or other bugs before releasing them to the stable channel. ”
Huffman added that they are speeding up the timeline for this issue and released it Friday, given the seriousness of the issue and the fact that it is now public (which makes it easier to exploit).
He also noted that the use of a private window with Tor connection by Brave is not the same as the Tor Browser.
“If your personal safety depends on staying anonymous, we strongly recommend using Tor Browser instead of Brave Tor windows,” he said.
While the recognition and quick fix for the problem was a positive end result, such cases serve as a reminder of the multitude of ways privacy can be compromised online, even when users think they are taking steps to stay safe.
The high level of anonymity that Tor can offer was broken, and this vulnerability could have allowed network mediators or attackers to track users and track which websites they visited, according to O’Brien.
“The good news is that content traveled through the network, such as conversations or files, appears to be protected by Tor,” he said. “However, users in dangerous situations could be put at risk, especially if they acted with less caution because they expected anonymity.”