In brief
- Brave has been leaking private Tor info to DNS providers.
- The bug is not new, nor specific to the Brave browser.
- Brave has since addressed the matter in a hotfix, which is expected to go live soon.
Brave, a Chromium-based, privacy-first browser that integrates the anonymous Tor web browser, has been leaking private .onion addresses to domain name system providers.
Tor obscures users’ web browsing activity by bouncing web traffic across a global network of relays. That makes it near-impossible to trace a user’s web history, making the browser a perfect home for anyone in need of privacy: mostly activists, dark web drug barons and hackers.
But the bug, addressed in a beta and soon-to-be-fixed in a hotfix, leaked all that private information to DNS providers, meaning that internet companies could snoop on their users’ Tor activity.
This is because Brave, which integrated Tor in 2018, is a Chromium-based browser, meaning it uses the same architecture as Firefox and Google Chrome. This issue has plagued Chromium-based browsers for over a decade and has been found on Brave as far back as 2019.
Brave’s bug was raised on January 21 after a Hacker One report unearthed the issue. It was resolved, then added to the “Nightly” version two weeks ago. “Nightly” is a developer's version of Brave that updates each day.
However, since the bug blew up on Reddit and Twitter today, Brave is bumping it up to the official version.
this was scheduled to land in 1.21.x (currently in beta) but given that it's now public we will uplift to a stable hotfix
— yan (@bcrypt) February 19, 2021
Brave never professed to be as private as Tor. “Brave with Tor does not provide the same level of Privacy as the Tor browser, if your life depends on remaining anonymous, use the Tor browser,” said Ryan Watson, Brave’s VP of IT, two years ago on Reddit.
Tor is more secure because it scrubs digital “fingerprints” used to identify computers, wrote Watson. “Fingerprinting works by hiding in the crowd of other browsers, by using Tor in Brave you have a slightly more unique fingerprint than with Tor browser. Thus making you less anonymous.”
He added: “[Tor’s community] also develop and know about security issues before anyone else, so they get the patches first and they make their way downstream to other apps.”
Brave has been in hot water for betraying user trust in the past. It redirected some crypto-related search queries to affiliate links, from which it earned kickbacks. “It's not great, and sorry again. I'm sad about it, too,” tweeted Brendan Eich, the company’s fiery CEO after the scheme was unearthed. The bug, however, appears to be an error in code, rather than in judgment.