Brave browser found to leak users' Tor dark web activity

Browser pins the blame on a misconfigured ad-blocking component

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Developers of the privacy-focussed Brave webbrowserhad to scamper to fix a bug to prevent the browser from leaking visited Tor addresses in DNS traffic.

Popularanonymouys browserBrave has sported a Tor mode since 2018 to allow users to visit the .onion addresses on the dark web without using the separate Tor browser.

However, an anonymous security researcher demonstrated that the browser was sending the queries for .onion addresses to public DNS resolvers for all to see, defeating the purpose of using the Tor mode.

Already fixed

Already fixed

Following the disclosure, several security researchers including PortSwigger Web Security’sJames Kettlewere able to independently verify the issue.

As it gained traction, Brave confirmed that they’ve been aware of the DNS leak since January 2021 when it was reported to its HackerOne-run bounty program. According to reports, Brave’s internal ad blocker component was responsible for inadvertently leaking the .onion domains.

The issue had already been addressed in the development nightly stream of the browser, according to Brave’s security engineerYan Zhu. As per the usual practice new changes are tested in developmental branches of a software, to spot for any regressions, before they are pushed to the stable mainline release.

However, Zhu wrote that since the issue is now public, the developers were “uplifting the fix to a stable hotfix.” Not long after Brave released an updated stable release v1.20.108 that fixed the leak.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Via:ZDNet

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

7 myths about email security everyone should stop believing

Best Usenet client of 2024

Arcane season 2 finally gave us the huge Caitlyn and Vi moment we’ve been waiting for – and its creators say ‘we couldn’t have done it in season one’