spc50 wrote on February 20, 2021 at 4:15 AM (edited on February 20, 2021 at 4:53 AM)

We made mass media about this :) ZDNet on MSN.

https://www.msn.com/en-us/money/other/brave-browser-leaks-onion-addresses-in-dns-traffic/ar-BB1dPSnS

Brave browser leaks onion addresses in DNS traffic Catalin Cimpanu 11 hrs ago

Added in June 2018, Brave's Tor mode has allowed throughout the years access to increased privacy to Brave users when navigating the web, allowing them to access the .onion versions of legitimate websites like Facebook, Wikipedia, and major news portals.

But in research posted online this week, an anonymous security researcher claimed they found that Brave's Tor mode was sending queries for .onion domains to public internet DNS resolvers rather than Tor nodes.

While the researcher's findings were initially disputed, several prominent security researchers have, in the meantime, reproduced his findings, including James Kettle, Director of Research at PortSwigger Web Security, and Will Dormann, a vulnerability analyst for the CERT/CC team.

Furthermore, the issue was also reproduced and confirmed by a third source, who also tipped off ZDNet earlier today.

The risks from this DNS leak are major, as any leaks will create footprints in DNS server logs for the Tor traffic of Brave browser users.

While this may not be an issue in some western countries with healthy democracies, using Brave to browse Tor sites from inside oppressive regimes might be an issue for some of the browser's other users.

Brave Software, the company behind the Brave browser, has not returned a request for comment sent before this article's publication earlier today.

Over the past three years, the company has worked to build one of the most privacy-focused web browser products on the market today, second only to the Tor Browser itself.

Based on its history and dedication to user privacy, the issue discovered this week appears to be a bug, one the company will most likely hurry to address in the coming future.

Update: Minutes after this article went live, the Brave team announced a formal fix on Twitter. The patch was actually already live in The Brave Nightly version following a report more than two weeks ago, but after the public report this week, it will be pushed to the stable version for the next Brave browser update. The source of the bug was identified as Brave's internal ad blocker component, which was using DNS queries to discover sites attempting to bypass its ad-blocking capabilities, but had forgotten to exclude .onion domains from these checks.

spc50 wrote on February 20, 2021 at 5:01 AM (edited on February 20, 2021 at 6:02 AM)

So once again ads bite users in the rear.

Decoupling ad blocking from the browser would be darn smart (ublock origin is simply awesome - so far).

Ad blocking on browser layer should be done via plugins / addons.

Question is what is / was Brave shipping out - calling home - to check? Is Brave saying here is a domain that cleared in the browser, let's call home remotely to verify? That's what it appears.

That isn't a feature. That is Brave collecting lookups unknown to those running the browser. When I do a lookup I expect MY DNS SERVER to deal with it. I don't expect the browser to go talking behind my back.

Terrible 'feature' that should be removed. It is distributed intelligence and I understand that pursuit well. However, it is something people ought to opt into and be aware of.

So yes, Brave likely has been logging onion addresses also and internal domains and other private things they should never be seeing. What is being done with that data and where is note of handling and destruction thereof?

Funnier though is Brave should have seen these onion address lookups whenever 'bug' was introduced. Smart people know those don't belong there. Something isn't right about all of this. Doesn't pass sniff test.

It is up to Brave to prove what they are or aren't doing. I don't believe it until someone speaks and provides code and breaks it down for non coders.