The Brave browser, which emphasizes privacy and security, has been leaking data for months, according to security researchers.
On Friday, Reddit user “py4YQFdYkKhBK690mZql” posted on a forum that Brave’s Tor mode, introduced in 2018, was sending requests for .onion domains to DNS resolvers, rather than private Tor nodes. A DNS resolver is a server that converts domain names into IP addresses. This means the .onion sites people searched for, with the understanding those searches would be private, were not. In fact, they could be observed by centralized internet service providers (ISPs).
Various privacy and security subreddit moderators refused to accept the post initially because they wanted more vetting of the claims.
"It was discovered by my partner on my startup, as we're working on an ad and ‘BS’ blocking VPN service (as well as other things, as shown on the site),” said py4YQFdYkKhBK690mZql in a direct message to CoinDesk. “He mentioned noting it while observing his outbound DNS traffic on his local network."
The leaks had been ongoing for months before Brave became aware of them, said Sean O’Brien, principal researcher at ExpressVPN Digital Security Lab, who conducted further research into the vulnerability and shared it exclusively with CoinDesk. Not only were .onion domain requests observable but so were all domain requests in Tor tabs, meaning that when a website loaded content from YouTube, Google or Facebook, all of those requests could be observable, even if the content itself was not.
“An update to adblocking in Brave browser introduced a vulnerability that exposed users of the browser's most private feature – Tor windows and tabs,” said O’Brien. “Users of this Tor feature in Brave expected to have the websites they visit hidden to their ISPs, schools and employers, but that domain information (DNS traffic) was instead revealed.
DNS leaks and Brave’s vulnerability timeline
A DNS leak creates a trail in server logs that can be followed by law enforcement, hackers or really anyone that has high-level network access. Tor is a browser that enables anonymous communication by directing internet traffic through a large overlay network, which conceals a user's location and protects against network surveillance or traffic analysis. Privacy advocates such as Edward Snowden and others have advocated for Tor as a valuable tool for protecting against surveillance.
Those using the Tor mode service in the Brave browser expect their traffic to be protected against exactly the sort of DNS server logs that occurred as a result of this leak, which could reveal what websites they are accessing.
“Fundamentally, your ISP would know if you had visited .onion websites and if they track a log of all the websites you visited, they might report you as ‘suspicious,’” said pseudonymous security researcher SerHack in a direct message.
The Tor Project, makers of the Tor browser, declined to comment for this piece.
“Brave warns users that Tor windows and tabs in its browser do not provide the same level of privacy as Tor Browser, which is developed directly by the Tor Project,” said O’Brien. “However, this DNS leak was properly described as ‘egregious’ by Brave's CSO.”
O’Brien examined each build of the Brave browser dating back to its launch in late 2019.
In doing so, he found the DNS leakage first showed up in a patch for "Support CNAME adblocking #11712," which was introduced to the browser source code on Oct. 14, 2020. It was included in the Brave browser nightly build that same day.
The Brave browser has two versions – a nightly build that is for developers and a stable build that is for ordinary users. Changes made in the nightly build are tested and then eventually incorporated into the stable build.
Brave released the update containing the DNS leakage vulnerability to the browser’s stable build on Nov. 20, 2020.
The vulnerability was not reported until Jan. 12, 2021, according to Github, via HackerOne. Brave released a fix for it in the nightly build on Feb. 4, but until py4YQFdYkKhBK690mZq publicized the issue on Reddit and it was confirmed by other researchers, Brave hadn’t issued a fix to the stable build.
Brave pushed the stable build fix on Friday evening, the same day reports of the problem were made public. CoinDesk has confirmed that the stable build of Brave is no longer leaking information to DNS servers.
This means that for months users who were using the Tor mode with the understanding their traffic was private were, in fact, having it logged in DNS servers, leaving behind a trail of their online activity. The stable build was fixed two weeks after the nightly build.
Overall, the nightly Brave build was leaking for 113 days, while the stable build was doing so for 91 days.
“This entire thing is such a scary incident for people [who] want to protect their privacy,” said SerHack. “It seems Brave did not pay attention to all details, and this episode should warn us that a single mistake might nullify all the efforts on privacy.”
In response to questions about how long this had been an issue, what the implications for users were and how Brave could ensure something like this doesn't happen in the future, Sydney Huffman, a spokesperson for Brave, issued the following statement:
“In mid-January 2021, we were made aware of a bug that would allow a network attacker to see DNS requests that were made in a private window in Brave with Tor connectivity. The root cause was a new adblocking feature called CNAME adblocking which initiated DNS requests that did not go through Tor in order to check if a domain should be blocked.
"This bug was discovered and reported by xiaoyinl on HackerOne. We responded immediately to the report and included a fix for this vulnerability in the February 4, 2021, nightly update (https://github.com/brave/brave-core/pull/7769). As is our usual process for bug fixes, we have been testing the changes in nightly to make sure that they didn't cause regressions or other bugs before releasing to the stable channel.”
Huffman added that given the severity of the issue and the fact that it was now public (thereby making it easier to exploit), the company accelerated the timeline for this issue and released it Friday.
She also noted that using a private window with Tor connectivity through Brave is not the same as using Tor Browser.
“If your personal safety depends on remaining anonymous, we highly recommend using Tor Browser instead of Brave Tor windows,” she said.
While the recognition and quick fix for the issue was a positive end result, instances such as these serve as a reminder of the multitude of ways that privacy can be compromised online, even when users think they’re taking steps to be secure.
The high level of anonymity that Tor can provide was broken, and this vulnerability might have allowed network intermediaries or attackers to snoop on users and track what websites they visit, according to O’Brien.
“The good news is that the content that traveled across the network, such as conversations or files, seems to have been protected by Tor,” he said. “Users in dangerous situations, however, could have been put at risk, especially if they acted with less caution because they expected anonymity.”
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.