Brave privacy bug exposes Tor onion URLs to your DNS provider

[Gandalf_The_Grey]

Brave Browser is fixing a privacy issue that leaks the Tor onion URL addresses you visit to your locally configured DNS server, exposing the dark web websites you visit.

Brave is Chromium-based browser that has been modified with privacy in mind, including a built-in ad blocker, tight data controls, and a built-in Tor browser mode to browse the web anonymously.

Websites located on Tor use onion URL addresses that users can only access through the Tor network. For example, DuckDuckGo's Tor address is https://3g2upl4pq6kufc4m.onion/ and the New York Time's address is https://www.nytimes3xbfgragh.onion/.

To access Tor onion URLs, Brave added a 'Private Window with Tor' mode that acts as a proxy to the Tor network. When you attempt to connect to an onion URL, your request is proxied through volunteer-run Tor nodes who make the request for you and send back the returned HTML.

Due to this proxy implementation, Brave's Tor mode does not directly provide the same level of privacy as using the Tor Browser.

Brave privacy bug exposes Tor onion URLs to your DNS provider

Brave Browser is fixing a privacy issue that leaks the Tor onion URL addresses you visit to your locally configured DNS server, exposing the dark web websites you visit.

www.bleepingcomputer.com

 

[enaph]

This:

Very poor for a company making a "privacy oriented" browser.
Leaking one's onion queries to the ISP - private af

 

[plat]

I've never used Brave--I had and still have a "gut instinct" about it. This is not the first incident but one in a series, it seems. Following the topic with interest.

Last month, someone over at Wilders discovered Brave's DNS leaks, prompting an engineer from Brave to respond. Very good work. There were several updates to the browser since then but now....?

Brave Browser Discussion & Update Thread

Brave Browser v1.18.78 Released (January 8, 2021) Download / Download (Github) 1.18.78 Upgraded Chromium to 87.0.4280.141. (#13399)

www.wilderssecurity.com

Brave Browser Discussion & Update Thread

Brave Browser v1.18.78 Released (January 8, 2021) Download / Download (Github) 1.18.78 Upgraded Chromium to 87.0.4280.141. (#13399)

www.wilderssecurity.com

 

[blackice]

I've never used Brave--I had and still have a "gut instinct" about it. This is not the first incident but one in a series, it seems. Following the topic with interest.

Last month, someone over at Wilders discovered Brave's DNS leaks, prompting an engineer from Brave to respond. Very good work. There were several updates to the browser since then but now....?

Brave Browser Discussion & Update Thread

Brave Browser v1.18.78 Released (January 8, 2021) Download / Download (Github) 1.18.78 Upgraded Chromium to 87.0.4280.141. (#13399)

www.wilderssecurity.com

Brave Browser Discussion & Update Thread

Brave Browser v1.18.78 Released (January 8, 2021) Download / Download (Github) 1.18.78 Upgraded Chromium to 87.0.4280.141. (#13399)

www.wilderssecurity.com

They do seem to be piling up don’t they.

 

[Azure]

I've never used Brave--I had and still have a "gut instinct" about it. This is not the first incident but one in a series, it seems. Following the topic with interest.

Last month, someone over at Wilders discovered Brave's DNS leaks, prompting an engineer from Brave to respond. Very good work. There were several updates to the browser since then but now....?

Brave Browser Discussion & Update Thread

Brave Browser v1.18.78 Released (January 8, 2021) Download / Download (Github) 1.18.78 Upgraded Chromium to 87.0.4280.141. (#13399)

www.wilderssecurity.com

Brave Browser Discussion & Update Thread

Brave Browser v1.18.78 Released (January 8, 2021) Download / Download (Github) 1.18.78 Upgraded Chromium to 87.0.4280.141. (#13399)

www.wilderssecurity.com

“The root cause behind the DNS Leaking bug has been found and fixed (single-line solution available on GitHub). This will be pushed out in our 1.21.x build. Thank you again, all, for helping us catch this!”

Current version is at 1.20.x.

 

[upnorth]

Another reason why I personal won't jump on the Brave " train ". Ain't the first time they stumble and fail with their Tor node solution.

Brave browser acts quickly to resolve Tor session confidentiality bug

Feature did not sufficiently anonymize private browsing sessions Developers at alternative privacy-focused browser Brave have been praised for quickly resolving a potentially troublesome privacy flaw. Security researcher sick.codes found that the Brave private window (incognito) feature with...

malwaretips.com

I would recommend use Tor Projects own browser if one want to use and access the Tor network.

The Tor Project | Privacy & Freedom Online

Defend yourself against tracking and surveillance. Circumvent censorship.

www.torproject.org

 

[silversurfer]

Just to inform, "DNS leak bug" seems to be fixed with the new version of Brave from yesterday:

• [Security] Fixed DNS leak regression in Tor windows as reported on HackerOne by xiaoyinl. (#13527)
• [Security] Fixed ISP DNS leak when shields are enabled. (#12575)

Release Channel 1.20.108

Where to download: Brave Desktop: Download Brave Browser Brave Github repository Linux Linux installation instructions Full Release Notes [Security] Fixed DNS leak regression in Tor windows as reported on HackerOne by xiaoyinl. (#13527) [Security] Fixed ISP DNS leak when shields are...

community.brave.com

Note: Personally, I will avoid discussing further about trust in browsers, but just remember when people complaining about Chrome (Privacy concerns about Google) or similar when Opera was taken over partially by a company from China. User data (Hardware) check-up by Vivaldi during every browser start.

 

[upnorth]

Note: Personally, I will avoid discussing further about trust in browsers, but just remember when people complaining about Chrome (Privacy concerns about Google) or similar when Opera was taken over partially by a company from China. User data (Hardware) check-up by Vivaldi during every browser start.

Understood and very fair view, but personal I will point out that specific if it actually holds merit. This time it did and extra so because it's the second time since November 2020. Vulnerability bugs/issues all browsers/software have and will have no matter what the company/vendors name, but if a software ( browser in this case ) fail to do the very basic it's supposed to ( Privacy in the Tor network ) I personal won't use it. I seen other browsers, even Opera allow Tor extensions. I say the same thing there. I recommend use the Tor Projects own browser if or when one actually want to use or access the Tor network.

 

[ForgottenSeer 78429]

This was an serious issue although I don't think many people use Tor Private Window. But in some cases Brave is better than Chrome, Edge or any other browser.

A Google spokesman said the company is aware of the research and is working on a fix. An Apple representative, meanwhile, said the company is looking into the findings. Ars also contacted Microsoft and Brave, and neither had an immediate comment for this post. As noted above, the researchers said Brave has introduced a countermeasure that prevents the technique from being effective, and other browser makers said they were working on fixes.

New browser-tracking hack works even when you flush caches or go incognito

 

[silversurfer]

Latest Brave browser update fixes Tor .onion DNS Leak - gHacks Tech News

The makers of the Brave browser have released Brave 1.20.110 to the stable channel, which fixes a DNS leak when accessing .onion sites in the browser.

www.ghacks.net

The implementation in Brave is not designed to be a full replacement for Tor Browser. The company notes on its support page that its browser "does not implement most of the privacy protections from Tor Browser" and that it "recommends using Tor Browser instead of Brave Tor windows" for "absolute anonymity".

One user discovered last week that Brave was leaking information in Tor mode. The user suggested that Brave Browser was leaking the address of sites visited in the mode and the IP of the requester. Brave attempted to resolve .onion domains through traditional DNS look-ups, something that should not happen according to the user.

The new update addresses the privacy issue. Brave engineers fixed the issue so that the information is no longer leaked when the browser's Tor mode is being used.

The company's recommendation to use Tor Browser for full anonymity still stands.

 

[Gandalf_The_Grey]

Latest Brave browser update fixes Tor .onion DNS Leak - gHacks Tech News

The makers of the Brave browser have released Brave 1.20.110 to the stable channel, which fixes a DNS leak when accessing .onion sites in the browser.

www.ghacks.net

Just posted that on your update post

 

[enaph]

Just my 2 cents.
I am not advocating against Brave because it is still much better than Firefox in terms of having better default privacy setting out of the box.
Code is written by humans and mistakes might happen but Brave should remove this poor implementation of TOR imho.

 

[JasonUK]

If I want Tor functionality I'll use the Tor Browser. Brave is a good browser for privacy without the Tor option and is my default browser. I like Firefox too but it should come with privacy implemented not leave it to possible users to scratch around for information on which about:config features to enable/disable.

 

[HarborFront]

If I want Tor functionality I'll use the Tor Browser. Brave is a good browser for privacy without the Tor option and is my default browser. I like Firefox too but it should come with privacy implemented not leave it to possible users to scratch around for information on which about:config features to enable/disable.

Then LibreWolf browser is right for you. It's still in experimental build though. Try it.

New Update - LibreWolf Browser - A fork of Firefox, focused on privacy, security and freedom

Upcoming..................... It'll be great if it can replace FF Homepage https://librewolf-community.gitlab.io/ LibreWolf Browser A fork of Firefox, focused on privacy, security and freedom.

malwaretips.com