A privacy vulnerability in the Brave browser will expose the onion URL that users visit

In an online study published this week, an anonymous security researcher claimed that they discovered that Brave Tor mode is sending queries for the .onion domain to public Internet DNS resolvers instead of Tor nodes, which will expose user access onion URL.

Brave is a Chromium-based browser, known for its privacy, and in June 2018 added a built-in Tor browser mode for anonymous web browsing. Websites on Tor use onion URL addresses, so users can only access them through the Tor network. For example, the Tor address of DuckDuckGo is https://3g2upl4pq6kufc4m.onion/, and the address of the New York Times is https://www.nytimes3xbfgragh.onion/.

When using Brave’s Tor mode, it should forward all requests to the Tor proxy and not send any information to any non-Tor network device. However, Brave’s “Private window with Tor” mode will cause any Tor onion URL accessed by the user to be sent to the computer’s configured DNS server as a standard DNS query. This issue is caused by Brave’s CNAME masquerading blocking feature, which prevents third-party tracking scripts that use CNAME DNS records to mimic first-party scripts.

The problem was still controversial when it was discovered, but then several other well-known security researchers also reproduced the problem, including PortSwigger Web Security research director James Kettle and CERT/CC team vulnerability analyst Will Dormann.

I just confirmed that yes, @brave browser's Tor mode appears to leak all the .onion addresses you visit to your DNS providerhttps://t.co/IMV97jWhZf pic.twitter.com/jlcUGFigdR

— James Kettle (@albinowax) February 19, 2021

The problem has now been fixed. After the issue was exposed, Brave Browser developer Yan Zhu stated that the issue was actually fixed in the Nightly version two weeks ago and is scheduled to be launched in the next stable version. Soon afterward, Brave browser released version 1.20.108.