According to an IT security researcher, the Chromium-based, privacy-focused web browser Brave had a vulnerability that was leaking DNS requests. This was later confirmed by PortSwigger’s Director of Research, James Kettle, and CERT/CC vulnerability analyst Will Dormann.
Due to this, user activities on Tor anonymity network’s hidden servers, the Dark Web, were being exposed to their ISPs (internet service providers).
It is worth noting that as of November 2020, the Chromium-based, privacy-focused Brave Browser had over 20 million users and it also made headlines for entering the dark web with its own Tor Onion service.
Brave has a built-in feature to enable Tor’s integration with the browser to obscure a user’s web activities and offer optimum privacy and security. Tor, conversely, is also used to access .Onion sites, most of which are hosted on the Dark Web.
According to a post published by the researcher on Rumble, since DNS requests are unencrypted so any requests made to access .Onion sites via Brave to Tor were traceable, which contradicts the browser’s privacy claims.
How Brave browser Leaked Tor DNS Requests?
In Tor mode, Brave is expected to forward all the Tor proxies’ requests without sending them to any non-Tor internet services. This is a crucial step to ensure user privacy when surfing the web.
However, the bug identified in Brave’s Private Window with Tor mode caused the .onion URL (regardless of the Tor address a user wanted to visit) to be sent to the device’s configured DNS server as a standard DNS query.
BleepingComputer verified this by using Wireshark for viewing DNS traffic in Brave Browser’s Tor mode. When checking DuckDuckGo and The New York Times’ onion URLs in Tor browser mode, Brave browser was found to be sending DNS queries to BleepingComputer’s locally configured DNS servers at IP address 18.104.22.168.
Kettle also provided a screenshot of the evidence while tweeting about the bug that read:
“I just confirmed that yes, Brave browsers Tor mode appear to leak all the .onion addresses you visit to your DNS provider.”
Vulnerability fixed – Update your browser
According to a Brave browser developer using Twitter handle @bcrypt, a hotfix will be released to address this issue. The company was already aware of the issue and reported it 18 days back on its Github page.
The developer revealed that the issue was caused by the browser’s CNAME decloaking ad-blocking feature. This feature blocks third-party tracking scripts, which use CNAME DNS records for impersonating the first-party script.
1. this was already reported on hackerone, was promptly fixed in nightly (so upgrade to nightly if you want the fix now)
2. since it's now public we're uplifting the fix to a stable hotfix
root cause is regression from cname-based adblocking which used a separate DNS query https://t.co/dLjeu4AXtP
— yan (@bcrypt) February 19, 2021
This feature is currently blocked in the Tow browsing mode. The developer noted that the issue had been fixed in the browser’s development build.
“Since it’s now public we’re uplifting the fix to a stable hotfix,” wrote the developer on Twitter.
For more details on the fix, visit Brave browser’s release notes here.