Brave Browser Leaks DNS Queries of the Users of Onion Services

A dangerous bug was detected in the browser that used to have a reputation of privacy-focused software. For now, you should stop using old version of Brave for onion services.

This is unpleasant news for people who normally use Brave to access onion services. A dangerous bug was detected in this browser that sends queries for onion addresses to public DNS resolvers.

This might come as a surprise for those who chose Brave because of its outstanding privacy guarantees. The marketing campaigns for this product are focused on its remarkable security and abilities to block cookies, disable JavaScript, hide advertising and carry out many other similar tasks.

Recently, the developers added to Brave the Private Window with Tor feature. It allows users to conveniently open onion services in a Tor-enabled tab. First, this feature seemed to be very opportune. But now, it turns out that the DNS data is leaking through it.

What Is the Mechanism of the Leak?

The leaks are caused by the browser’s in-built capabilities to block advertising. Their functionality is more or less the same as that of PiHole or ad blockers built by third parties. So why should they leak the DNS data? The experts of the TheHackerNews.com site came up with a comprehensive explanation of the problem.

The ad-blocking feature of the Brave browser is known as CNAME. It blocks third-party tracking scripts that employ CNAME DNS data to impersonate the first-party script when it is not and prevent detection by content blockers. According to TheHackerNews.com, an online resource can conceal third-party scripts with the help of the subdomains of the main domain. Then, an automatic redirection to a tracking domain will take place.

Anyone who checked DNS query logs or used a local DNS sinkhole could notice this feature right away. Users who run their server and have the unpatched version of Brave could easily test the bug.

To make sure that the bug really exists, follow these simple steps:

  • If your logs were temporarily disabled, enable them.
  • Check your DNS query logs.
  • Right-click a link in the Brave browser and choose to Open Link in Private Window with Tor.

After that, the query for an onion service will be picked up by the DNS server.

Did the Developer Take Any Measures?

The first notification about this issue appeared on January 13, 2020, on HackerOne. Hackers and security experts launched this platform to share information about bugs with the ultimate goal of making the Internet a safer place. People who report about bugs there can expect to get a bounty.

A nightly release of the Brave browser allegedly featured a patch to fix the bug. After the developers got to know about this problem, they promised to update their product. The Brave 1.21.x version was supposed to include a patch for the DNS leak. But in fact, users have received only an update to the public version of the browser so far.

So How Should I Access Onion Services Now?

Until the issue is entirely fixed, please do not try to access onion services through Brave. You will not be able to remain anonymous. Instead, you might want to use Tor, which is the default browser for sites of such type. Tor was built on the basis of the Firefox browser — while Brave is based on Chromium.

Those who have been using Tor for quite a while might remember that this browser also had some deanonymization issues in the past. But by today, it has managed to overcome them. Now, Tor provides sufficient confidentiality guarantees — if you make a certain effort to remain anonymous and deliberately disable JavaScript.

How Do Experts Handle JavaScript in Tor?

The owners of onion markets develop different strategies to remind their customers about the necessary security measures. For instance, White House Market, Monopoly and other security-focused markets straightforwardly force their users to disable JavaScript.

TorRReZ, Versus and a few others try to load a couple of lines of JavaScript when a user attempts to use their services. If their browser blocks it, they will see nothing suspicious. But if their browser has nothing against JavaScript, they will see weird lines on their screen. To remove them, they need to reconfigure the settings of their browser and enhance their anonymity. A warning banner will appear at the top of the window to recommend them to do it.