A dangerous bug was detected in the browser that used to have a reputation of privacy-focused software. For now, you should stop using old version of Brave for onion services.
This is unpleasant news for people who normally use Brave to access onion services. A dangerous bug was detected in this browser that sends queries for onion addresses to public DNS resolvers.
Recently, the developers added to Brave the Private Window with Tor feature. It allows users to conveniently open onion services in a Tor-enabled tab. First, this feature seemed to be very opportune. But now, it turns out that the DNS data is leaking through it.
What Is the Mechanism of the Leak?
The leaks are caused by the browser’s in-built capabilities to block advertising. Their functionality is more or less the same as that of PiHole or ad blockers built by third parties. So why should they leak the DNS data? The experts of the TheHackerNews.com site came up with a comprehensive explanation of the problem.
The ad-blocking feature of the Brave browser is known as CNAME. It blocks third-party tracking scripts that employ CNAME DNS data to impersonate the first-party script when it is not and prevent detection by content blockers. According to TheHackerNews.com, an online resource can conceal third-party scripts with the help of the subdomains of the main domain. Then, an automatic redirection to a tracking domain will take place.
Anyone who checked DNS query logs or used a local DNS sinkhole could notice this feature right away. Users who run their server and have the unpatched version of Brave could easily test the bug.
To make sure that the bug really exists, follow these simple steps:
- If your logs were temporarily disabled, enable them.
- Check your DNS query logs.
- Right-click a link in the Brave browser and choose to Open Link in Private Window with Tor.
After that, the query for an onion service will be picked up by the DNS server.
Did the Developer Take Any Measures?
The first notification about this issue appeared on January 13, 2020, on HackerOne. Hackers and security experts launched this platform to share information about bugs with the ultimate goal of making the Internet a safer place. People who report about bugs there can expect to get a bounty.
A nightly release of the Brave browser allegedly featured a patch to fix the bug. After the developers got to know about this problem, they promised to update their product. The Brave 1.21.x version was supposed to include a patch for the DNS leak. But in fact, users have received only an update to the public version of the browser so far.
So How Should I Access Onion Services Now?
Until the issue is entirely fixed, please do not try to access onion services through Brave. You will not be able to remain anonymous. Instead, you might want to use Tor, which is the default browser for sites of such type. Tor was built on the basis of the Firefox browser — while Brave is based on Chromium.