How I found a Tor vulnerability in Brave Browser, reported it, watched it get patched, got a CVE (CVE-2020-8276) and a small bounty

[correlate]

Level 18
Thread author
Top Poster
Well-known
May 4, 2019
801
Recently, I discovered a small but potentially devastating vulnerability in the new Tor feature of the Brave browser.

As of November 2nd 2020, Brave monthly users 28 have massively increased their browser market share to 20 Million Monthly Active Users + 7 Million Daily Active Users.

Brave is a unique browser, created by Brendan Eich, who is also the inventor/creator of JavaScript. He is also the former CEO of the Firefox browser’s parent company, Mozilla.

Brave is based on Chromium, which is the Open Source version of the well known Chrome browser. Being an Open Source project, this allows any developer, anywhere, the ability to inspect the source code of the project. You can inspect the code yourself here: brave/brave-core 66

In 2018 Brave added the ability to integrate Tor sessions into their Incognito mode. Essentially, it is Private Window browsing inside Chrome, with an added Tor network traffic routing circuit, for a whole range of added privacy bonuses: Brave Introduces Beta of Private Tabs with Tor for Enhanced Privacy while Browsing | Brave Browser 30
How I found a Tor vulnerability in Brave Browser, reported it, watched it get patched, got a CVE (CVE-2020-8276) and a small bounty, all in one working day - Research Hub - disclose.io
 

dinosaur07

Level 12
Verified
Top Poster
Well-known
Aug 5, 2012
572
Funny thing.
Kaspersky doesn't let me see the page.
SmartSelect_20201129-171450_Chrome.jpg
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top