Brave browser’s Tor mode exposed users’ dark web activity
A bug in the ad blocking
component of Brave’s Tor feature caused the browser to leak users' DNS queries
By Amer Owaida
Brave, one of the top-rated browsers for
privacy, has fixed a bug in its
Private Windows with Tor feature that leaked the .onion URLs for websites
visited by the browser’s users, according to a report by an
anonymous researcher, the browser’s built-in Tor mode – which takes private
browsing to a new level by allowing users to navigate to .onion websites on the
dark web without having to install Tor – was leaking Domain Name System (DNS)
requests for the websites.
“If you’re using Brave you
probably use it because you expect a certain level of privacy/anonymity. Piping
.onion requests through DNS where your ISP or DNS provider can see that you made
a request for an .onion site defeats that purpose,” reads the post.
RELATED
READING: 3 ways to browse the web anonymously
While testing the issue,
the researcher found that when a request is made for a .onion domain while
using Private Window with Tor, the request makes its way to the DNS server and
is tagged with the Internet Protocol (IP) address of the requester.
“This shouldn’t happen.
There isn’t any reason for Brave to attempt to resolve a .onion domain through
traditional means as it would with a regular clearnet site,” said the
researcher. This means that when you use Tor with Brave and access a specific
Tor website, your internet service provider (ISP) or DNS provider would be able
to tell that the request for that specific website was made from your IP
address.
According to a tweet by Brave’s Chief Information Security Officer
Yan Zhu, Brave was already aware of the issue since it was previously reported
on HackerOne. It has since pushed out a hotfix to resolve the Tor DNS issue, which was
traced to the browser’s adblocking component, which used a separate DNS query.
Full article: Brave browser’s Tor mode exposed
users’ dark web activity | WeLiveSecurity