Brave Browser resolves a privacy issue that leaks to the Tor onion URL that you visit your locally configured DNS server, exposing the dark web sites that you visit.
Brave is a chromium-based browser that has been modified with privacy in mind, including an integrated ad blocker, tight data controls, and built-in Tor browser mode to browse the web anonymously.
Tor-based websites use onion URL addresses that users can access only through the Tor network. For example, the address of DuckDuckGo Tor is https://3g2upl4pq6kufc4m.onion/and the address of New York Time is https://www.nytimes3xbfgragh.onion/.
To access Tor onion URLs, Brave has added a ‘Private Window with Tor‘ mode that acts as a proxy on the Tor network. When you try to connect to the onion URL, your request is forwarded to volunteer-run Tor nodes that make the request for you and send back the returned HTML.
When users are inside a Private Window with Tor, Brave does not connect directly to a website, but instead connects to a chain of three different computers on the Tor network.
When using Brave’s Tor mode, all requests should be forwarded to the Tor proxies and no information should be sent to any non-Tor Internet devices to increase privacy.
An anonymous researcher initially reported that the Brave’s Tor mode was sending.onion domain queries to public internet DNS resolvers, and other experts confirmed his findings.
“If you’re using Brave you probably use it because you expect a certain level of privacy/anonymity. Piping .onion requests through DNS where your ISP or DNS provider can see that you made a request for an .onion site defeats that purpose.” explained the researcher. “Anyhow, it was reported by a partner that Brave was leaking DNS requests for onion sites and I was able to confirm it at the time.”
Each query is stored in the logs of the DNS server for the Tor traffic of the Brave web browser users.
Following the disclosure, well-known security researchers including James Kettle of PortSwigger Web Security independently verified the issue using the Wireshark Packet Analysis Tool.
The Brave development team shortly after the public release of the bug addressed it in the Brave Nightly version and will be released to the stable version with the next Brave browser update.
The privacy bug, according to the development team, resides in the internal ad blocker component of the Brave web browser. The component used DNS queries to determine if the site was trying to bypass ad-blocking features, but the problem is that it carried out the same checks on .onion addresses.