Developers of the privacy-focussed Brave web browser had to scamper to fix a bug to prevent the browser from leaking visited Tor addresses in DNS traffic.
Popular anonymouys browser Brave has sported a Tor mode since 2018 to allow users to visit the .onion addresses on the dark web without using the separate Tor browser.
However, an anonymous security researcher demonstrated that the browser was sending the queries for .onion addresses to public DNS resolvers for all to see, defeating the purpose of using the Tor mode.
Following the disclosure, several security researchers including PortSwigger Web Security’s James Kettle were able to independently verify the issue.
As it gained traction, Brave confirmed that they’ve been aware of the DNS leak since January 2021 when it was reported to its HackerOne-run bounty program. According to reports, Brave’s internal ad blocker component was responsible for inadvertently leaking the .onion domains.
The issue had already been addressed in the development nightly stream of the browser, according to Brave’s security engineer Yan Zhu. As per the usual practice new changes are tested in developmental branches of a software, to spot for any regressions, before they are pushed to the stable mainline release.
However, Zhu wrote that since the issue is now public, the developers were “uplifting the fix to a stable hotfix.” Not long after Brave released an updated stable release v1.20.108 that fixed the leak.