Brave privacy bug exposes Tor onion URLs to your DNS provider

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Brave Browser is fixing a privacy issue that leaks the Tor onion URL addresses you visit to your locally configured DNS server, exposing the dark web websites you visit.

Brave is Chromium-based browser that has been modified with privacy in mind, including a built-in ad blocker, tight data controls, and a built-in Tor browser mode to browse the web anonymously.

Websites located on Tor use onion URL addresses that users can only access through the Tor network. For example, DuckDuckGo's Tor address is https://3g2upl4pq6kufc4m.onion/ and the New York Time's address is https://www.nytimes3xbfgragh.onion/.

To access Tor onion URLs, Brave added a 'Private Window with Tor' mode that acts as a proxy to the Tor network. When you attempt to connect to an onion URL, your request is proxied through volunteer-run Tor nodes who make the request for you and send back the returned HTML.

Due to this proxy implementation, Brave's Tor mode does not directly provide the same level of privacy as using the Tor Browser.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
I've never used Brave--I had and still have a "gut instinct" about it. This is not the first incident but one in a series, it seems. Following the topic with interest. :whistle::coffee:🥧

Last month, someone over at Wilders discovered Brave's DNS leaks, prompting an engineer from Brave to respond. Very good work. (y)There were several updates to the browser since then but now....?

 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
I've never used Brave--I had and still have a "gut instinct" about it. This is not the first incident but one in a series, it seems. Following the topic with interest. :whistle::coffee:🥧

Last month, someone over at Wilders discovered Brave's DNS leaks, prompting an engineer from Brave to respond. Very good work. (y)There were several updates to the browser since then but now....?

They do seem to be piling up don’t they.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
I've never used Brave--I had and still have a "gut instinct" about it. This is not the first incident but one in a series, it seems. Following the topic with interest. :whistle::coffee:🥧

Last month, someone over at Wilders discovered Brave's DNS leaks, prompting an engineer from Brave to respond. Very good work. (y)There were several updates to the browser since then but now....?

“The root cause behind the DNS Leaking bug has been found and fixed (single-line solution available on GitHub). This will be pushed out in our 1.21.x build. Thank you again, all, for helping us catch this!”

Current version is at 1.20.x.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
Another reason why I personal won't jump on the Brave " train ". Ain't the first time they stumble and fail with their Tor node solution.
I would recommend use Tor Projects own browser if one want to use and access the Tor network.
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Just to inform, "DNS leak bug" seems to be fixed with the new version of Brave from yesterday:
  • [Security] Fixed DNS leak regression in Tor windows as reported on HackerOne by xiaoyinl. (#13527)
  • [Security] Fixed ISP DNS leak when shields are enabled. (#12575)

Note: Personally, I will avoid discussing further about trust in browsers, but just remember when people complaining about Chrome (Privacy concerns about Google) or similar when Opera was taken over partially by a company from China. User data (Hardware) check-up by Vivaldi during every browser start.
 
Last edited:

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
Note: Personally, I will avoid discussing further about trust in browsers, but just remember when people complaining about Chrome (Privacy concerns about Google) or similar when Opera was taken over partially by a company from China. User data (Hardware) check-up by Vivaldi during every browser start.
Understood and very fair view, but personal I will point out that specific if it actually holds merit. This time it did and extra so because it's the second time since November 2020. Vulnerability bugs/issues all browsers/software have and will have no matter what the company/vendors name, but if a software ( browser in this case ) fail to do the very basic it's supposed to ( Privacy in the Tor network ) I personal won't use it. I seen other browsers, even Opera allow Tor extensions. I say the same thing there. I recommend use the Tor Projects own browser if or when one actually want to use or access the Tor network.
 
F

ForgottenSeer 78429

This was an serious issue although I don't think many people use Tor Private Window. But in some cases Brave is better than Chrome, Edge or any other browser.
A Google spokesman said the company is aware of the research and is working on a fix. An Apple representative, meanwhile, said the company is looking into the findings. Ars also contacted Microsoft and Brave, and neither had an immediate comment for this post. As noted above, the researchers said Brave has introduced a countermeasure that prevents the technique from being effective, and other browser makers said they were working on fixes.
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
The implementation in Brave is not designed to be a full replacement for Tor Browser. The company notes on its support page that its browser "does not implement most of the privacy protections from Tor Browser" and that it "recommends using Tor Browser instead of Brave Tor windows" for "absolute anonymity".
One user discovered last week that Brave was leaking information in Tor mode. The user suggested that Brave Browser was leaking the address of sites visited in the mode and the IP of the requester. Brave attempted to resolve .onion domains through traditional DNS look-ups, something that should not happen according to the user.

The new update addresses the privacy issue. Brave engineers fixed the issue so that the information is no longer leaked when the browser's Tor mode is being used.

The company's recommendation to use Tor Browser for full anonymity still stands.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506

enaph

Level 28
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,787
Just my 2 cents.
I am not advocating against Brave because it is still much better than Firefox in terms of having better default privacy setting out of the box.
Code is written by humans and mistakes might happen but Brave should remove this poor implementation of TOR imho.
 

JasonUK

Level 5
Apr 14, 2020
232
If I want Tor functionality I'll use the Tor Browser. Brave is a good browser for privacy without the Tor option and is my default browser. I like Firefox too but it should come with privacy implemented not leave it to possible users to scratch around for information on which about:config features to enable/disable.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
If I want Tor functionality I'll use the Tor Browser. Brave is a good browser for privacy without the Tor option and is my default browser. I like Firefox too but it should come with privacy implemented not leave it to possible users to scratch around for information on which about:config features to enable/disable.
Then LibreWolf browser is right for you. It's still in experimental build though. Try it.

 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top