Brave browser’s Tor feature found to leak .onion queries to ISPs

UPDATED Brave, the privacy-focused web browser, is exposing users’ activity on Tor’s hidden servers – aka the ‘dark web’ – to their internet service providers, it has been confirmed.

Brave is shipped with a built-in feature that integrates the Tor anonymity network into the browser, providing both security and privacy features that can help obscure a user’s activity on the web.

Tor is also used to access .onion websites, which are hosted on the dark net.

Earlier today (February 19), a blog post from ‘Rambler’ claimed that Brave was leaking DNS requests made in the Brave browser to a user’s ISP.

DNS requests are unencrypted, meaning that any requests to access .onion sites using the Tor feature in Brave can be tracked – a direct contradiction to its purpose in the first place.

The blog post reads: “Your ISP or DNS provider will know that a request made to a specific Tor site was made by your IP. With Brave, your ISP would know that you accessed somesketchyonionsite.onion.”

Following the disclosure, well-known security researchers including PortSwigger Web Security’s James Kettle independently verified the issue using the Wireshark packet analysis tool.

“I just confirmed that yes, Brave browsers Tor mode appear to leak all the .onion addresses you visit to your DNS provider,” Kettle tweeted, providing a screenshot for evidence.

Security researcher James Kettle independently verified the Brave browser privacy issue

User response

Considering that the Tor Browser was specifically built to hide a users’ internet browsing from their ISP, the news has provoked a vociferous response online.

“Privacy my ass,” wrote Twitter user @s_y_m_f_m, while other called the findings “appalling”.

The issue has been present in the stable release since November 2020, and was reported “in mid January”, a Brave developer told The Daily Swig.

Since the time of publication, a Brave developer has confirmed that the browser will be releasing a hotfix for the issue.

The issue is already fixed in nightly, the development build of the browser. The developer, @bcrypt on Twitter, wrote: “Since it’s now public we’re uplifting the fix to a stable hotfix.

“Root cause is regression from cname-based adblocking which used a separate DNS query.”

The Daily Swig has reached out to Brave for comment, and will update this article accordingly.

This article has been updated to include the information that a hotfix is being issued. An earlier version stated that the issue has been present since 2019, this has been corrected to 2020.

Source: https://portswigger.net/daily-swig/brave-browsers-tor-feature-found-to-leak-onion-queries-to-isps