The Brave browser, which emphasizes privacy and security, has been leaking data for months, according to security researchers.
On Friday, Reddit user “py4YQFdYkKhBK690mZql” posted on a forum that Brave’s Tor mode, introduced in 2018, was sending .onion domain requests to DNS resolvers, rather than private Tor nodes. A DNS resolver is a server that converts domain names to IP addresses. This means that the .onion sites that people searched for, with the understanding that those searches would be private, were not. In fact, they can be observed by centralized Internet service providers (ISPs).
Several privacy and security subreddit moderators refused to accept the post initially, because they wanted more verification of the claims.
“It was discovered by my partner at my startup, while we are working on a ‘BS’ ad and blocking VPN service (as well as other things, as shown on the website),” said py4YQFdYkKhBK690mZql in a direct message to CoinDesk. “He mentioned this while looking at his outgoing DNS traffic on his local network.”
The results were quickly confirmed by security researchers on Twitter. Then Brave confirmed that he was aware of the problem and pressed a security patch for the browser on Friday night.
The leaks had been going on for months before Brave became aware of them, said Sean O’Brien, principal researcher at ExpressVPN Digital Security Lab, who conducted additional research on the vulnerability and shared them exclusively with CoinDesk. Not only were .onion domain requests observable, but so were all domain requests on the Tor tabs, which means that when a website uploaded content from YouTube, Google or Facebook, all of those requests could be observable, even if the content itself was not.
“An update of adblocking in the Brave browser introduced a vulnerability that exposed users to the browser’s most private feature – Tor windows and tabs,” said O’Brien. “Users of this Tor no Brave feature expected to have the websites they visit hidden from their ISPs, schools and employers, but domain information (DNS traffic) has been revealed.
DNS leaks and Brave vulnerability schedule
A DNS leak creates a trail in the server logs that can be followed by police, hackers, or really anyone who has access to the high-level network. Tor is a browser that allows anonymous communication by directing Internet traffic through a large overlay network, which hides the user’s location and protects against network surveillance or traffic analysis. Privacy advocates, like Edward Snowden and others, have defended Tor as a valuable tool for protection against surveillance.
Those using the Tor mode service in the Brave browser expect their traffic to be protected exactly from the type of DNS server logs that occurred as a result of this leak, which can reveal which sites they are accessing.
“Fundamentally, your ISP would know if you visited .onion sites and if they track a record of all the sites visited, they can report you as a ‘suspect’,” said pseudonym security researcher SerHack in a direct message.
Tor Project, creator of the Tor browser, declined to comment on this article.
“Brave warns users that Tor windows and tabs on their browser do not offer the same level of privacy as the Tor browser, which is developed directly by Tor Project,” said O’Brien. “However, this DNS leak was properly described as ‘notorious’ by Brave’s CSO. “
O’Brien has examined each version of the Brave browser since its launch in late 2019.
In doing so, he discovered that the DNS leak first appeared in a patch for “Support CNAME adblocking # 11712”, which was introduced to the browser source code on October 14, 2020. It was included in the nightly build of Brave browser that same day.
The Brave browser has two versions, a nightly build that is for developers and a stable build that is for ordinary users. Changes made to the nightly build are tested and eventually incorporated into the stable build.
Brave released the update containing the DNS leak vulnerability for the stable build of the browser on November 20, 2020.
The vulnerability was not reported until January 12, 2021, according to Github, via HackerOne. Brave released a fix for him in the nightly build on February 4, but until py4YQFdYkKhBK690mZq published the problem on Reddit and was confirmed by other researchers, Brave had not issued a fix for the stable build.
Brave pushed the stable build fix on Friday night, the same day that problem reports became public. CoinDesk confirmed that Brave’s stable build is no longer leaking information to DNS servers.
This means that, for months, users who were using Tor mode because they understood that their traffic was private, were actually logging on to DNS servers, leaving a trail of their online activity. The stable construction was corrected two weeks after the night construction.
Overall, the nightly Brave build was leaking for 113 days, while the stable build did so for 91 days.
“This whole thing is a scary incident for people who want to protect their privacy,” said SerHack. “It seems that Brave did not pay attention to all the details, and this episode should alert us that a single mistake can negate all privacy efforts.”
Reply from Brave
In response to questions about how long this has been an issue, what the implications were for users and how Brave could ensure that something like this did not happen in the future, Brave spokesman Sidney Huffan issued the following statement:
“In mid-January 2021, we were informed of a bug that would allow a network attacker to view DNS requests made in a private window on Brave with Tor connectivity. The root cause was a new ad blocking feature called CNAME adblocking, which initiated DNS requests that did not go through Tor to see if a domain should be blocked.
“This bug was discovered and reported by xiaoyinl on HackerOne. We responded immediately to the report and included a fix for this vulnerability in the February 4, 2021 nightly update (https://github.com/brave/brave-core/pull/7769). As is our normal bug fixing process, we test the changes every night to make sure they don’t cause regressions or other bugs before releasing to the stable channel. “
Huffman added that, given the seriousness of the problem and the fact that it was now public (making it easier to explore), they accelerated the timeline for that problem and launched it on Friday.
He also noted that using a private window with Tor connectivity via Brave is not the same as using the Tor browser.
“If your personal security depends on anonymity, it is highly recommended to use the Tor browser instead of the Brave Tor windows,” he said.
While recognizing and quickly fixing the problem has been a positive end result, instances like these serve as a reminder of the numerous ways in which privacy can be compromised online, even when users think they are taking steps to be safe.
The high level of anonymity that Tor can provide has been broken and this vulnerability may have allowed network intermediaries or attackers to spy on users and track the websites they visit, according to O’Brien.
“The good news is that content that has traveled over the network, such as conversations or files, appears to have been protected by Tor,” he said. “Users in dangerous situations, however, could have been put at risk, especially if they acted less cautiously because they expected anonymity.”