Brave privacy bug exposes Tor onion URLs to your DNS provider

[mood]

Brave privacy bug exposes Tor onion URLs to your DNS provider

 

 

Brave Browser is fixing a privacy issue that leaks the Tor onion URL addresses you visit to your locally configured DNS server, exposing the dark web websites you visit.

 

Brave is Chromium-based browser that has been modified with privacy in mind, including a built-in ad blocker, tight data controls, and a built-in Tor browser mode to browse the web anonymously.

 

Websites located on Tor use onion URL addresses that users can only access through the Tor network. For example, DuckDuckGo's Tor address is https://3g2upl4pq6kufc4m.onion/ and the New York Time's address is https://www.nytimes3xbfgragh.onion/.

 

To access Tor onion URLs, Brave added a 'Private Window with Tor' mode that acts as a proxy to the Tor network. When you attempt to connect to an onion URL, your request is proxied through volunteer-run Tor nodes who make the request for you and send back the returned HTML.

 

Brave's Private Windows with Tor browsing mode

 

Due to this proxy implementation, Brave's Tor mode does not directly provide the same level of privacy as using the Tor Browser.

Brave's leaks Tor DNS requests

When using Brave's Tor mode, it should forward all requests to the Tor proxies and not send any information to any non-Tor Internet devices to increase privacy.

 

However, a bug in Brave's 'Private window with Tor' mode is causing the onion URL for any Tor address you visit to also be sent as a standard DNS query to your machine's configured DNS server.

 

This bug was first reported in a Reddit post and later confirmed by James Kettle, the Director of Research at PortSwigger.

 

BleepingComputer has also verified the claims by using Wireshark to view DNS traffic while using Brave's Tor mode.

 

As you can see in the video below, when visiting the DuckDuckGo and NY Times' onion URLs in Brave's Tor browser mode, the browser also performed DNS queries to our locally configured DNS server, Google's public servers at IP address 8.8.8.8.

 

Brave is aware of this bug as it was reported on their GitHub project page eighteen days ago, and developers have already created a fix.

 

This issue is caused by Brave's CNAME decloaking ad-blocking feature that blocks third-party tracking scripts that use CNAME DNS records to impersonate a first-party script.

 

To prevent Tor URLs from being sent to configured DNS servers, Brave has disabled the CNAME adblocking feature when in the Tor browsing mode.

"Per discussion on slack with @bridiver and @iefremov, we came to a conclusion that disabling CNAME adblock for Tor would be best option now. Considering in order to make DoH route through Tor, we need to remove LOAD_BYPASS_PROXY for dns transaction but it might introduce dns and proxy code looping when we need to resolve proxy name," the Brave developers explained in the reported issue.

 

This fix was originally expected to roll out in the Brave Browser Beta 1.21.x but Brave Browser developer Yan Zhu tweeted that a hotfix will be uplifted to the next Stable version.

 

this was scheduled to land in 1.21.x (currently in beta) but given that it's now public we will uplift to a stable hotfix

— yan (@bcrypt) February 19, 2021

 

 

Source: Brave privacy bug exposes Tor onion URLs to your DNS provider

[aum]

 

Brave has fixed a privacy issue in its browser that sent queries for .onion domains to public internet DNS resolvers rather than routing them through Tor nodes, thus exposing users' visits to dark web websites.

 

The bug was addressed in a hotfix release (V1.20.108) made available yesterday.

 

Brave ships with a built-in feature called "Private Window with Tor" that integrates the Tor anonymity network into the browser, allowing users to access .onion websites, which are hosted on the darknet, without revealing the IP address information to internet service providers (ISPs), Wi-Fi network providers, and the websites themselves. The feature was added in June 2018.

 

This is achieved by relaying users' requests for an onion URL through a network of volunteer-run Tor nodes. At the same time, it's worth noting that the feature uses Tor just as a proxy and does not implement most of the privacy protections offered by Tor Browser.

 

But according to a report first disclosed on Ramble, the privacy-defeating bug in the Tor mode of the browser made it possible to leak all the .onion addresses visited by a user to public DNS resolvers.

 

 

"Your ISP or DNS provider will know that a request made to a specific Tor site was made by your IP," the post read.

 

DNS requests, by design, are unencrypted, meaning that any request to access .onion sites in Brave can be tracked, thereby defeating the very purpose of the privacy feature.

 

This issue stems from the browser's CNAME ad-blocking feature that blocks third-party tracking scripts that use CNAME DNS records to impersonate the first-party script when it is not and avoid detection by content blockers. In doing so, a website can cloak third-party scripts using sub-domains of the main domain, which are then redirected automatically to a tracking domain.

 

Brave, for its part, already had prior knowledge of the issue, for it was reported on the bug bounty platform HackerOne on January 13, following which the security issue was resolved in a Nightly release 15 days ago.

 

It appears that the patch was originally scheduled to roll out in Brave Browser 1.21.x, but in the wake of public disclosure, the company said it's pushing it to the stable version of the browser released yesterday.

 

Brave browser users can head to Menu on the top right > About Brave to download and install the latest update.

 

Source

[Karlston]

Similar topics merged.

[worm_mba]

Note: Zdnet reported that minutes after this article went live, the Brave team announced a formal fix on Twitter. The patch was actually already live in The Brave Nightly version following a report more than two weeks ago, but after the public report this week, it will be pushed to the stable version for the next Brave browser update. The source of the bug was identified as Brave's internal ad blocker component, which was using DNS queries to discover sites attempting to bypass its ad-blocking capabilities, but had forgotten to exclude .onion domains from these checks.

 

https://twitter.com/bcrypt/status/1362796915063021569

 

The Tor mode included with the Brave web browser allows users to access .onion dark web domains inside Brave private browsing windows without having to install Tor as a separate software package.

 

Added in June 2018, Brave's Tor mode has allowed throughout the years access to increased privacy to Brave users when navigating the web, allowing them to access the .onion versions of legitimate websites like Facebook, Wikipedia, and major news portals.

 

But in research posted online this week, an anonymous security researcher claimed they found that Brave's Tor mode was sending queries for .onion domains to public internet DNS resolvers rather than Tor nodes. While the researcher's findings were initially disputed, several prominent security researchers have, in the meantime, reproduced his findings, including James Kettle, Director of Research at PortSwigger Web Security, and Will Dormann, a vulnerability analyst for the CERT/CC team.

https://twitter.com/albinowax/status/1362737949872431108

 

Furthermore, the issue was also reproduced and confirmed by a third source, who also tipped off ZDNet earlier today. The risks from this DNS leak are major, as any leaks will create footprints in DNS server logs for the Tor traffic of Brave browser users.

 

While this may not be an issue in some western countries with healthy democracies, using Brave to browse Tor sites from inside oppressive regimes might be an issue for some of the browser's other users. Brave Software, the company behind the Brave browser, has not returned a request for comment sent before this article's publication earlier today.

 

Over the past three years, the company has worked to build one of the most privacy-focused web browser products on the market today, second only to the Tor Browser itself.

Based on its history and dedication to user privacy, the issue discovered this week appears to be a bug, one the company will most likely hurry to address in the coming future.

 

Source: Brave browser leaks onion addresses in DNS traffic