The Brave browser is known to protect the privacy of its users through its privacy-focused features. But lately, it has been found that the Tor developers had to rush in the bid to fix a bug that has initially been leaking the users’ darknet activity in the DNS traffic.
Since 2018, the anonymous and popular Brave browser has introduced the Tor mode for permitting the users to visit the .onion addresses of the dark web without having to open the actual Tor browser. But unfortunately, an anonymous security researcher had demonstrated how the browser had been sending queries for the onion URLs to the public DNS resolvers. This made it possible to see the activity the users were engaged in on the dark web, which eventually was defeating the purpose of Brave’s Tor mode.
Initially, the bug had been addressed in a hotfix release (V1.20.108). According to a Ramble based report, the privacy hampering bug in the Tor mode of the Brave browser had made it possible to leak each .onion addresses to the DNS resolvers that the users had been visiting.
“Your ISP or DNS provider will know that a request made to a specific Tor site was made by your IP,” the post read.
By design, the DNS requests are unencrypted. This means that any request to access the .onion sites in the Brave browser can be tracked, which truly defeats the actual purpose of the Brave’s privacy feature regarding Tor.
The issue had originated from the CNAME ad-blocking feature of Brave browser that restricts the third-party tracking scripts using the CNAME DNS records to impersonate the first-party script and avoids the content blockers to detect. In this condition, a website is able to cloak the third-party scripts utilizing the sub-domains of the original domain and are then automatically redirected to a tracking domain.
The authorities of Brave already were aware of the issue as it had been then reported on HackerOne, a bug bounty platform, on the 13th of January, 2021. Following this, the security flaw had been resolved in a Nightly release around 18 days ago.
It seems that the security patch had been originally scheduled to roll out in the Brave browser 1.21.x. But the browser company did not want to disclose it to the public, and thus it is said to have been pushing it to the stable Brave browser version. However, the browser users can visit the Menu (☰) on the top right and select “About Brave” for downloading and installing the latest update.
Disclaimer: Read the complete disclaimer here.