A bug in the private browsing window with Tor implemented in the Brave web browser could reveal the onion sites visited by the users.
The Tor mode in the Brave web browser allows users to access .onion dark web domains inside Brave private browsing windows without the need to install Tor as a separate software package.
Brave’s Tor mode permitted access to increased privacy to Brave users when surfing the web, allowing them to access the .onion versions of legitimate websites like Facebook, Wikipedia, and major news portals.
An anonymous security researcher posted this week that they found that Brave’s Tor mode was sending queries for .onion domains to public internet DNS resolvers rather than Tor nodes.
Even though the researcher’s findings were initially disputed, several leading security researchers have reproduced his findings, including James Kettle, Director of Research at PortSwigger Web Security, and Will Dormann, a vulnerability analyst for the CERT/CC team.
The risks from this DNS leak are serious, as any leaks will leave footprints in DNS server logs for the Tor traffic of users of Brave browser.
Brave Software, the company behind the Brave browser, has worked hard to build one of the most privacy-focused web browser products on the market today, second only to the Tor Browser itself.
Depending on the history and dedication to user privacy, this issue is considered to be a bug which needs to be addressed.
Later, the Brave team announced a formal fix on Twitter. The patch was already live in The Brave Nightly version following a report more than two weeks ago. Following the public report this week, it will be pushed to the stable version for the next Brave browser update.
The source of the bug was identified as Brave’s internal ad blocker component, which was using DNS queries to discover sites attempting to bypass its ad-blocking capabilities, but it was forgotten to exclude .onion domains from these checks.