A privacy bug related to the built-in Tor mode was recently patched in Brave browser. The bug was spotted by bug hunter known as xiaoyinl, and reported to Brave via its HackerOne bug bounty program.
Brave Browser’s built-in Tor mode caused DNS leaks
In a conversation with TheRegister, a Brave spokesperson has said that “the root cause was a new ad-blocking feature called CNAME ad-blocking.” The feature initiated DNS requests that didn’t go through Tor to determine if a domain should be blocked.
“As is our usual process for bug fixes, we have been testing the changes in nightly to make sure that they didn’t cause regressions or other bugs before releasing to the stable channel. However, given the severity of the issue and the fact that it is now public (thereby making it easier to exploit), we are accelerating the timeline for this issue and releasing the fix today in stable (1.20.x),” the spokesperson explained.
The Brave browser has been famous for its built-in Tor feature. However, the privacy mode which should allow anonymous browsing on the dark web started leaking the .onion domains to DNS servers configured for non-Tor websites. This could then allow the DNS operators or other threat actors to reveal the hidden services the user required.
You should update your Brave browser to the latest version to avoid any privacy-related leaks.