A privacy bug related to the built-in Tor mode was recently patched in Brave browser. The bug was spotted by bug hunter known as xiaoyinl, and reported to Brave via its HackerOne bug bounty program.
Brave Browser’s built-in Tor mode caused DNS leaks
In a conversation with TheRegister, a Brave spokesperson has said that “the root cause was a new ad-blocking feature called CNAME ad-blocking.” The feature initiated DNS requests that didn’t go through Tor to determine if a domain should be blocked.
“As is our usual process for bug fixes, we have been testing the changes in nightly to make sure that they didn’t cause regressions or other bugs before releasing to the stable channel. However, given the severity of the issue and the fact that it is now public (thereby making it easier to exploit), we are accelerating the timeline for this issue and releasing the fix today in stable (1.20.x),” the spokesperson explained.
The Brave browser has been famous for its built-in Tor feature. However, the privacy mode which should allow anonymous browsing on the dark web started leaking the .onion domains to DNS servers configured for non-Tor websites. This could then allow the DNS operators or other threat actors to reveal the hidden services the user required.
You should update your Brave browser to the latest version to avoid any privacy-related leaks.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: