Brave Privacy Bug Exposes Tor Onion URLs To Your DNS Provider
Brave Browser is fixing a privacy issue that leaks the Tor onion URL addresses you visit to your locally configured DNS server, exposing the dark web websites you visit.
Brave is Chromium-based browser that has been modified with privacy in mind, including a built-in ad blocker, tight data controls, and a built-in Tor browser mode to browse the web anonymously.
Websites located on Tor use onion URL addresses that users can only access through the Tor network. For example, DuckDuckGo’s Tor address is https://3g2upl4pq6kufc4m.onion/ and the New York Time’s address is https://www.nytimes3xbfgragh.onion/.
To access Tor onion URLs, Brave added a ‘Private Window with Tor‘ mode that acts as a proxy to the Tor network. When you attempt to connect to an onion URL, your request is proxied through volunteer-run Tor nodes who make the request for you and send back the returned HTML.
Due to this proxy implementation, Brave’s Tor mode does not directly provide the same level of privacy as using the Tor Browser.
Brave’s leaks Tor DNS requests
When using Brave’s Tor mode, it should forward all requests to the Tor proxies and not send any information to any non-Tor Internet devices to increase privacy.
However, a bug in Brave’s ‘Private window with Tor’ mode is causing the onion URL for any Tor address you visit to also be sent as a standard DNS query to your machine’s configured DNS server.
BleepingComputer has also verified the claims by using Wireshark to view DNS traffic while using Brave’s Tor mode.
As you can see in the video below, when visiting the DuckDuckGo and NY Times’ onion URLs in Brave’s Tor browser mode, the browser also performed DNS queries to our locally configured DNS server, Google’s public servers at IP address 126.96.36.199.
Brave is aware of this bug as it was reported on their GitHub project page eighteen days ago, and developers have already created a fix.
This issue is caused by Brave’s CNAME decloaking ad-blocking feature that blocks third-party tracking scripts that use CNAME DNS records to impersonate a first-party script.
To prevent Tor URLs from being sent to configured DNS servers, Brave has disabled the CNAME adblocking feature when in the Tor browsing mode.
“Per discussion on slack with @bridiver and @iefremov, we came to a conclusion that disabling CNAME adblock for Tor would be best option now. Considering in order to make DoH route through Tor, we need to remove
LOAD_BYPASS_PROXY for dns transaction but it might introduce dns and proxy code looping when we need to resolve proxy name,” the Brave developers explained in the reported issue.
This fix was originally expected to roll out in the Brave Browser Beta 1.21.x but Brave Browser developer Yan Zhu tweeted that a hotfix will be uplifted to the next Stable version.
Privacy Ninja provides GUARANTEED quality and results for the following services:
DPO-As-A-Service (Outsourced DPO Subscription)
PDPA Compliance Training
PDPA Compliance Audit
Digital Transformation Consultancy
Data Protection Trustmarks Certification Readiness Consultancy
PDPA Data Protection Software
Vulnerability Assessment & Penetration Testing (VAPT)
Smart Contract Audit