Brave browser revealed onion addresses in DNS traffic

An anonymous information security expert published a study, according to which the Brave browser, operating in Tor mode, revealed the onion addresses of sites visited by the user, and left traces in the logs on the DNS server.

Tor mode was integrated into Brave back in 2018 and allows users to visit onion sites. This is done by proxying user requests through Tor nodes, which make a request to the onion resource instead of it, and then send back the received HTML.

The researcher said that when the browser is running in Private window with Tor mode, it transmits the onion addresses of any sites visited to the DNS server in the format of a standard DNS query (which, of course, should not happen). The video below, recorded by Bleeping Computer reporters, shows DuckDuckGo and NY Times onion addresses performing DNS queries against a locally configured DNS server (Google’s public servers at IP address 8.8.8.8).

For the first time information about this problem was published on Reddit, and at first many doubted the correctness of the expert’s conclusions. However, the existence of the bug was soon confirmed by such well-known information security specialists as CERT/CC analyst Will Dormann and PortSwigger Web Security chief researcher James Kettle.

“I just confirmed that yes, Brave browsers Tor mode appear to leak all the onion addresses you visit to your DNS provider”, — James Kettle tweeted, providing a screenshot for evidence.

The Brave devs have already reported that they are aware of the problem, and a patch for it was included in the Brave Nightly build two weeks ago after receiving a bug report. The fix is promised to be transferred to the stable version during the next browser update.

The source of the bug turned out to be an ad blocker built into Brave, which used DNS queries to detect sites trying to circumvent its bans, but the developers forgot to exclude .onion domains from these checks.

“In mid-January 2021, we were made aware of a bug that would allow a network attacker to see DNS requests that were made in a private window in Brave with Tor connectivity. The root cause was a new adblocking feature called CNAME adblocking which initiated DNS requests that did not go through Tor in order to check if a domain should be blocked. This bug was discovered and reported by xiaoyinl on HackerOne. We responded immediately to the report and included a fix for this vulnerability in the February 4, 2021 in the nightly update”, — а spokesperson of Brave told The Daily Swig.

Recall that we talked that Opera, Brave and Vivaldi will not impose advertising on users after Chromium update.