Brave Privacy Bug Exposed Tor Onion URLs To Your DNS Provider (bleepingcomputer.com) 16
Brave Browser had a privacy issue that leaked the Tor onion URL addresses you visited to your locally configured DNS server, "exposing the dark web websites you visit...", writes Bleeping Computer.
Long-time Slashdot reader AmiMoJo quotes their report: To access Tor onion URLs, Brave added a "Private Window with Tor" mode that acts as a proxy to the Tor network. When you attempt to connect to an onion URL, your request is proxied through volunteer-run Tor nodes who make the request for you and send back the returned HTML. Due to this proxy implementation, Brave's Tor mode does not directly provide the same level of privacy as using the Tor Browser.
When using Brave's Tor mode, it should forward all requests to the Tor proxies and not send any information to any non-Tor Internet devices to increase privacy. However, a bug in Brave's "Private window with Tor" mode is causing the onion URL for any Tor address you visit to also be sent as a standard DNS query to your machine's configured DNS server. This bug was first reported in a Reddit post and later confirmed by James Kettle, the Director of Research at PortSwigger. BleepingComputer has also verified the claims by using Wireshark to view DNS traffic while using Brave's Tor mode.
Brave has since released an update which fixes the bug.
Long-time Slashdot reader AmiMoJo quotes their report: To access Tor onion URLs, Brave added a "Private Window with Tor" mode that acts as a proxy to the Tor network. When you attempt to connect to an onion URL, your request is proxied through volunteer-run Tor nodes who make the request for you and send back the returned HTML. Due to this proxy implementation, Brave's Tor mode does not directly provide the same level of privacy as using the Tor Browser.
When using Brave's Tor mode, it should forward all requests to the Tor proxies and not send any information to any non-Tor Internet devices to increase privacy. However, a bug in Brave's "Private window with Tor" mode is causing the onion URL for any Tor address you visit to also be sent as a standard DNS query to your machine's configured DNS server. This bug was first reported in a Reddit post and later confirmed by James Kettle, the Director of Research at PortSwigger. BleepingComputer has also verified the claims by using Wireshark to view DNS traffic while using Brave's Tor mode.
Brave has since released an update which fixes the bug.
Re: Brave (Score:2)
The what community?
Re: Brave (Score:5, Funny)
> The what community?
Assuming he has his parity bits set correctly, I am told the 'B' represents the Conservative belief in only two genders.
But no matter - he's better off using a browser from a military contractor anyway. Clean ethics right there.
I'd hope the VPN caught that (Score:2)
Or the Starbucks' ISP will know everything I just did.
My DNS provider is my PieHole (Score:1)
'Nuff said
Color me surprised... (Score:1)
Any Web browser that brings along its own ad platform gets a black mark in my book. I don't understand why there is so much fanboism for Brave, because (IMHO, of course) it doesn't really guard privacy as much as say Firefox does with the right extensions, and VPN.
Re: (Score:2)
Any Web browser that brings along its own ad platform gets a black mark in my book. I don't understand why there is so much fanboism for Brave, because (IMHO, of course) it doesn't really guard privacy as much as say Firefox does with the right extensions, and VPN.
I've never used Brave and I didn't even know it had its own ad platform, but the word in right-wing circles is that Google is teh evil and Brave will protect your privacy - also, you have to use duckduckgo otherwise you won't find the websites that tell you what's really going on.
They post messages like this on discussion forums where Google's ad networks drive revenue which I find somewhat amusing. "I don't use Google or social media" they proudly proclaim on right-wing discussion forums even though they
Re: (Score:1)
Failure of testing (Score:4, Insightful)
Re: (Score:2)
If you are implementing a privacy mode, shouldn't you at least do a wireshark dump and inspect it? Before releasing it?
This is really not rocket science...
Indeed. And this is one thing that you obviously need to test. Looks like there are some incompetents at work.
Re: (Score:2)
Re: (Score:2)
Well, from the outside it is pretty hard distinguishing a stupid mistake and malice concealed as a stupid mistake. These days it is basically impossible because there are so many big-ego-small-skills "coders" around that the most stupid mistakes are being made without any malice at all.