Brave Browser leaks your Tor / Onion service requests through DNS.

Submitted by Rambler in privacy (edited )

Edit: (Since this is gaining traction elsewhere.) I'm not trying to shit on Brave. I'm just wanting to help protect end-users who may use Brave for it's Tor feature to do stuff over Tor that should only be done with the actual Tor browser. If you're using Brave you probably use it because you expect a certain level of privacy/anonymity. Piping .onion requests through DNS where your ISP or DNS provider can see that you made a request for an .onion site defeats that purpose.

I'm also no NetSec expert but you don't have to be to replicate this. I'm just a dude with some websites and projects and I'm not certain I would have taken notice of this if it wasn't reported to me by a partner on another project who witnessed this behavior when monitoring his local requests leaving his network. He'll be doing his own write-up and is more equipped to discuss this in length than me.


Testing out something that was noted a week or so ago, and wanting to replicate it for the purpose of this post.

Some of you know I'm working on an ad, tracker, and other BS blocking VPN service for an unrelated project to this site. Go to /f/incoghost (website) for more because I try to keep these things separated.

Anyhow, it was reported by a partner that Brave was leaking DNS requests for onion sites and I was able to confirm it at the time. Decided to spin up a VM with Brave and test with this site's Onion service (though it will do this for any .onion)

Example:

 Feb 18 12:02:25: query[A] rambleeeqrhty6s5jgefdfdtc6tfgg4jj6svr4jpgk4wjtg3qshwbaad.onion from 104.244.xx.xxx

What this entry shows (simply) is that the request made for the domain rambleeeqrhty6s5jgefdfdtc6tfgg4jj6svr4jpgk4wjtg3qshwbaad.onion made it to the DNS server and is tagged with the IP of the requester, which in this case is just the test / dev VPN. This shouldn't happen. There isn't any reason for Brave to attempt to resolve a .onion domain through traditional means as it would with a regular clearnet site.

This is especially worrisome for those of you who use Brave browser from your normal residential IP and (for whatever reason) use the Tor feature built into the browser to access Tor sites. Your ISP or DNS provider will know that a request made to a specific Tor site was made by your IP. With Brave, your ISP would know that you accessed somesketchyonionsite.onion .

TL;DR: If you're going to use Tor, use the Tor Browser and not Brave. The Tor browser itself doesn't leak these requests like Brave does.


Edit: To clarify, the VPN service we're working on is no-logging but during this dev and testing period we're logging DNS requests while we work out the kinks in the blocklists. This has also allowed us to witness .onions being passed through which is a fault of Brave.


Edit 2: Screenshot: https://images2.imgbox.com/98/46/1i084PbC_o.png

That was me loading duckduckgo in a different container, with brave, while live fetching DNS requests made to the DNS server. I blurred out the non-onion requests. (Different VPN test location than in the above example so 209.x.x.x IP instead of the 104.x.x.x one in the original example.


EDIT 2: The mods of /r/privacy won't let this be posted. They say:

While we (vastly) prefer the Tor Browser over the Brave one, you'll need a better source than the one you found. Can you find something from a more widely recognized NetSec expert? Something along the lines of Bruce Schneier's blog or something at that level of credibility?

and

The problem with screenshots is that they can be faked, trivially. There are also a host of approaches that credible writers/reporters do in the NetSec space do before a line of text appears in print. It's this kind of journalism that we have to trust, since we humble Mods don't have the time or resources to vet. So, we'll need something better sourced. Sorry!

and

There are new posts everyday "warning" people of things that aren't legitimate, hence the caution. This is not a "security" subreddit. A moderator's job is to ensure that the subreddit doesn't devolve into conspiracy theories and misinformation. Security announcements should be vetted and confirmed, not independent claims that the mods have no time to independently verify.

I can post the steps on how to easily replicate this by using pi-hole on their local networks. Anyone is capable of verifying this.

Great. Please do so on r/brave, r/netsec, r/infosec, and other places where this is both directly relevant and appropriate to seek others confirmation. Once vetted by the community (and republished by professionals), you're welcome to post those official responses.

/r/brave is private, invite only. I posted on netsec and infosec so we'll see. I guess /r/privacy must love Brave and not allow anything against it since it's so god damned easy to verify this...

All you have to do to VERIFY that this is happening is A.) Use Brave B.) Go to an Onion site C.) Observe DNS traffic. Install Pi-Hole on a Raspberry Pi or in a Virtual Machine on your desktop and run your DNS requests through it for ease of use and you can verify it. Not sure why they're so hesitant to inform their subscribers of this.


Edit 3: Tested on both a Debian 10 and Ubuntu desktop. I'm not esteemed NetSec researcher and I'm not setting up a 100 different scenarios.

28

Comments

You must log in or register to comment.

Rambler OP wrote

/r/privacy on reddit won't allow this post because:

While we (vastly) prefer the Tor Browser over the Brave one, you'll need a better source than the one you found. Can you find something from a more widely recognized NetSec expert? Something along the lines of Bruce Schneier's blog or something at that level of credibility?

Does anyone else wish to replicate this to confirm?

6

____ wrote

Don't even bother. Post it on Reddit alternatives like Ruqqus, Poal, Phuks, Notabug, etc. instead. Don't support sites that have heavy censorship.

5

smartypants wrote (edited )

Poal.co censors far far too much in Feb 2021 : two examples in my prior post.

but I agree that Rambler need to post this asking for confirmation on all the following sites , and even other less censoring subreddits on Reddit.

The top 29 known mostly Free Speech social sites, unranked :

https://boards.4chan.org/pol/
https://archive.4plebs.org/pol/ (legible nondeletable 4chan)
https://www.16chan.xyz/pol/
https://8kun.top (current 2020 8Chan, tor onion link : jthnx5wyvjvzsxtu.onion)
https://8kun.top/pnd/ (8Chan pol)
https://forum.searchvoat.co/viewforum.php?f=31 (never censors legal speech)
https://www.dailystormer.name (https://dailystormer.su/)
https://endchan.org
https://notabug.io/t/all
https://9chan.tw/bestpol/
https://phuks.co/ [server down Oct 2020, up again]
https://poal.co/ (censors speech often, proof https://files.catbox.moe/iuncm1.jpg)
https://ramble.pw/ (not famous yet)
https://wearethene.ws/ (2021 very active 8Chan Q stuff, more legible)
https://Greatawakening.win/ (Q related)
https://raddle.me/ (Raddle)
https://vnnforum.com/
https://patriots.win/ (claims to be free speech, CENSORS discussions of jews, guns, race IQ, etc)
https://ruqqus.com/+MAGA (2% of the old thedonald.win users went here, despite ruqqus censorship)
https://dstormer6em3i4km.onion.link/ [http://dstormer6em3i4km.onion/] (emergency tor onion for https://dailystormer.su/)
https://www.whitedate.net/whitedate-forums/
https://endchan.net/qanonresearch/
https://ruqqus.com/ (claims to be free speech, has leftists control a lot of it)
https://saidit.net/ (censors, but not as bad as reddit)
https://communities.win/ (censors, but not as bad as reddit)

2

Rambler OP wrote

I created a Ruqqus account and posted in +Privacy but it's not showing up so it's probably either because my account is new. I created a Poal account and posted it there and it appears to me. May not if I log out. Not sure.

1

smartypants wrote (edited )

Thanks for your research, keep posting to all the 29 or so free speech sites... too bad Poal shadowbans, censors , deletes, and is a god damned dumpster fire.

I posted proof of two popular user upvoated topics totally censored by Poal admins this last week : https://ramble.pw/f/privacy/2387/-/comment/2901

LIST OF PLACES for you to consider posting your research and revelations!:

https://ramble.pw/f/privacy/2387/-/comment/2902

Save that list!

Also , be sure to add "on my OS, on my machine, conditionals as well" to not trigger people demanding you try it on 3 ISPS on 3 machines. Ask for confirmation at top and bottom of your post to not trigger the Brave fanboy nazis thinking you are a enemy shill.

2

Rambler OP wrote

Also , be sure to add "on my OS, on my machine, conditionals as well" to not trigger people demanding you try it on 3 ISPS on 3 machines. Ask for confirmation at top and bottom of your post to not trigger the Brave fanboy nazis thinking you are a enemy shill.

Yeah, good idea.

1

Rambler OP wrote

I don't have accounts at those. Well I think I may have an old Ruqqus account or something.

Feel free to share yourself. Helps this site AND more importantly, helps protect the privacy of Brave users.

1

____ wrote

Definitely always just use Tor Browser on desktop, if only to prevent sites from fingerprinting you.

3

not_bob wrote

.onion is a special tld that should never be sent to a DNS server to be resolved. Ever.

3

boobs wrote

... unless you are using tor's transparent proxy feature.

1

div1337 wrote

It's disappointing, I'm wondering if it has something to do with how Chromium works? Perhaps using Chromium as a base was a mistake.

2

Rambler OP wrote

Could be. But anything that is advertised to do with Tor shouldn't make any activity known outside of the Tor network itself.

2

RandomlyGeneratedUsername wrote

Following the discussion on /r/netsec, Bruce Schneier is also a director of the Tor Project ;)

2

smartypants wrote

Bruce Schneier is/was a NSA plant in 1993, proven by ME!

I EXPOSED HIM IN 1993 with actual proof on cyberpunks hangouts, such as usenet

Main proof, was his deliberate subverting of his Blowfish algorithm , that infected over 43 crypto library products!

https://en.wikipedia.org/wiki/Blowfish_(cipher)

His Blowfish source code was deliberately subverted in a clever way by him to collapse a crypto key of 256 bits to merely 32 bits if it was derived from user entered text passphrase and the letters typed by user had the high bit set (in ANSI, the high bit is UNDEFINED, not zero, but additionally, mac and pc users can trivially type countless symbols on keyboards that have the highest bit set.

That wiki page, and most people who are not crypto experts in the early 1990s, do NOT KNOW OF NSA connection to Bruce Schneier to spread backdoors in crypto libraries!!!!

wayback machines for usenet used to exist, and could have shown a direct URL to my research proving Bruce Schneier to be under NSA control. NSA uses cash to subvert crypto libraries. Large cash payments are how NSA got engineers at apple to subvert Apples own source code "accidental changes" to SSL code in iOS.

Bruce Schneier is a FUCKING SHILL for NSA!

Remember, Bruce Schneier ALGORITHM for Blowfish was OK, it was his backdoor exploit in the free source code that he widely distributed that has the exploit to collapse and nullify all keyspace.

The high bit got erroneously smeared to all lower bits in each byte of the passphrase. This fact and exploit is still unknown out side of my typing here to you now, and the very rarely archived usenet group I posted too in 1993, 1994. I generally never publish my countless exploits I discover in hardware or software, but I am not wrong and anyone with a copy of Bruce Schneiers widely used blowfish source code promoted in 1994 can trivially verify all I wrote using a ANSI C conformant compiler.

BEWARE Bruce Schneier!

His backdoors in source code , PROVEN, may have toppled governments, promoted fraud, got political dissidents executed, and more.

2

spc50 wrote (edited )

F-off to reddit and other control NAZIS (as opposed to my kosher friends - at least the genuine ones of faith).

This gatewaying of all information and only calling something valid when it is admitted by a head of pyramid is tired.

This is why people sit on 0 day exploits for years and drop things strategically. Because too many people out there in power positions are abusive and in denial that their sh!t stinks.

Brave is an ugly baby.

I went back and found I tagged Brave leaking to plain DNS back on February 6th. Was new to me. Working on other stuff involving Tor and had just spun up Brave to check it out. Wondered why strange stuff in my DNS logs (you log your DNS lookups, don't you? You should).

Now who can point me to all the bundled Brave releases? Cause they are all fronted to feed you latest one. I want to selectively install and test and see how many releases they've been outing .onion addresses and putting normies at risk.

2

spc50 wrote (edited )

We made mass media about this :) ZDNet on MSN.

https://www.msn.com/en-us/money/other/brave-browser-leaks-onion-addresses-in-dns-traffic/ar-BB1dPSnS

Brave browser leaks onion addresses in DNS traffic Catalin Cimpanu 11 hrs ago

Added in June 2018, Brave's Tor mode has allowed throughout the years access to increased privacy to Brave users when navigating the web, allowing them to access the .onion versions of legitimate websites like Facebook, Wikipedia, and major news portals.

But in research posted online this week, an anonymous security researcher claimed they found that Brave's Tor mode was sending queries for .onion domains to public internet DNS resolvers rather than Tor nodes.

While the researcher's findings were initially disputed, several prominent security researchers have, in the meantime, reproduced his findings, including James Kettle, Director of Research at PortSwigger Web Security, and Will Dormann, a vulnerability analyst for the CERT/CC team.

Furthermore, the issue was also reproduced and confirmed by a third source, who also tipped off ZDNet earlier today.

The risks from this DNS leak are major, as any leaks will create footprints in DNS server logs for the Tor traffic of Brave browser users.

While this may not be an issue in some western countries with healthy democracies, using Brave to browse Tor sites from inside oppressive regimes might be an issue for some of the browser's other users.

Brave Software, the company behind the Brave browser, has not returned a request for comment sent before this article's publication earlier today.

Over the past three years, the company has worked to build one of the most privacy-focused web browser products on the market today, second only to the Tor Browser itself.

Based on its history and dedication to user privacy, the issue discovered this week appears to be a bug, one the company will most likely hurry to address in the coming future.

Update: Minutes after this article went live, the Brave team announced a formal fix on Twitter. The patch was actually already live in The Brave Nightly version following a report more than two weeks ago, but after the public report this week, it will be pushed to the stable version for the next Brave browser update. The source of the bug was identified as Brave's internal ad blocker component, which was using DNS queries to discover sites attempting to bypass its ad-blocking capabilities, but had forgotten to exclude .onion domains from these checks.

2

spc50 wrote (edited )

So once again ads bite users in the rear.

Decoupling ad blocking from the browser would be darn smart (ublock origin is simply awesome - so far).

Ad blocking on browser layer should be done via plugins / addons.

Question is what is / was Brave shipping out - calling home - to check? Is Brave saying here is a domain that cleared in the browser, let's call home remotely to verify? That's what it appears.

That isn't a feature. That is Brave collecting lookups unknown to those running the browser. When I do a lookup I expect MY DNS SERVER to deal with it. I don't expect the browser to go talking behind my back.

Terrible 'feature' that should be removed. It is distributed intelligence and I understand that pursuit well. However, it is something people ought to opt into and be aware of.

So yes, Brave likely has been logging onion addresses also and internal domains and other private things they should never be seeing. What is being done with that data and where is note of handling and destruction thereof?

Funnier though is Brave should have seen these onion address lookups whenever 'bug' was introduced. Smart people know those don't belong there. Something isn't right about all of this. Doesn't pass sniff test.

It is up to Brave to prove what they are or aren't doing. I don't believe it until someone speaks and provides code and breaks it down for non coders.

1

MysteryRepeatsItself wrote

Very interesting. Not that I know too much about what you posted, but I'm learning!

1

abuhussain wrote

it's = it is. its = possessive. That's what you want to use.

Your articles are high-quality ones. Don't degrade them by following the example of millions of people on the internet who use them wrong, or even interchangeably.

1

smartypants wrote (edited )

Rambler,

Thank you deeply, for this research!

Sorry about fascists at Reddit blocking and censoring you on r/privacy, though other groups their might let your research get posted.

AVOID censoring dumpster-fire kiked sites like Ruqqus or Poal. Poal censors DAILY, popular things that might name Jews or agitate feelings of Blacks.

Two censored Poal posts this week examples!

CENSORED!

Example one , from Feb 2021 , The mere image of the Letter "R", merely the single letter "R" got a valued highly educated user de-facto BANNED , his "s/Funny" post marked NSFW, and the letter R entire thread moved from +66 upvotes on "Funny" to censored and hidden "Shitpostsub" https://poal.co/s/Shitpostsub/286684

See? The thin-skinned admins actually de-facto banned a user for merely posting a single post to Funny of the letter R: https://files.catbox.moe/iuncm1.jpg

Poal CENSORS Daily!

Here is a second censored rising popular thread, banned and shoahed off the front page of "News", deleted this week in Feb 2021, ironically moved to hidden "Censorship" site by the kike admins from "News" :

https://poal.co/s/Censorship/299637

That WAS a link to famous front page "s/News" story on thegatewaypundit about jewed Parler banning people who make Jew jokes, like the actual Jew Milo Yiannopoulos does. (Yes he mocks jews and christians and muslims alike).

The CENSORED title of the thread banned on Poal this week is entitled :

PARLER first week back : Now Banning Conservatives who write jokes about (((Democrats))). ‘Free Speech’ Platform Parler Bans Milo Yiannopoulos!!! May be allowed on shadowban.

And the kikes at Poal BANNED that news article , but not much later articles, merely because that title used echoes ((())). Using echoes on Poal can get your content or you, banned by the jews that run Poal.co!

Poal.co is a kiked, censoring, DUMPSTER FIRE

https://poal.co/s/Censorship/299637

I am on a tangent, sorry...

Regarding Brave Browser DNS leak.....

80% of Brave was written by Apple via Safaris source code WebKit (yes really) :

https://en.wikipedia.org/wiki/WebKit

that Apple Safari webKit was "forked" and renamed Chrome, then renamed Chromium by Google.

Chrome too is still 70% written by Apple (WebKit).

Also not only Brave, and Chrome, but THESE BROWSERS are all 70% or more Chromium source code:

  • Vivaldi (70% Chromium source code (Apple))
  • Microsoft Edge in 2018 onward (70% Chromium source code (Apple))
  • Brave in 2020 onward (80% Chromium source code (Apple))
  • Opera in 2019 onward (70% Chromium source code (Apple))
  • Opera Reborn 3 in 2019 onward (70% Chromium source code (Apple))

All are Chromium org source, all up to date with private GUI addons to monetize and make money.

https://www.guidingtech.com/top-chromium-based-browsers-windows/

Those all add private closed source crap, as does Google, but Google announces total war this month Feb 2021 on those three and started deleting and removing code from the hosted Chromium source code the three browsers share !!!

GOOGLE CHROMIUM JUST GOT SUBVERTED THIS MONTH!

On March 15, 2021, Google will limit access to many Chrome application programming interfaces (API) inside the open-source Chromium web browser:

https://blog.chromium.org/2021/01/limiting-private-api-availability-in.html

https://www.zdnet.com/article/google-should-really-open-source-chromium/

Anyways..

the point of my rambling is...

Checkout browsers from 12 months ago from Brave and also the others I mentioned and do quick regression test of your suspicions.

Then , also before blaming brave, get a person to bring a laptop to your place and do a test with their device.

You might have a MITM (Man in The Middle) malware installed by feds in yyour test machine and it might not be braves fault.

Or you were hacked with the V8 exploits last month in many browsers.

Chrome zero-day bug that is actively being abused by bad folks affects Edge, Brave, Vivaldi, and other Chromium-tinged browsers:
https://www.theregister.com/2021/02/05/chrome_zero_day_update/

But SPREAD THE WORD!!! Just ignore the kiked Poal.co censoring site. It is actively against disclosures of the main law enforcement oriented agencies cyber tools and means : (CIA/NSA/NRO/FBI/DIA/USDOJ/State Dept INR/USAFISR/DOE/DHS/TFI/ONSI/NSF/ etc)

THANK YOU RAMBLER!

0