Brave may be an underdog. But when it comes to features, the browser is considered unique, and is already a popular choice for those who value privacy.
Among the features Brave is offering, privacy-concerned users can browse the dark side of the web through Brave's Tor mode. This allows users to visit .onion websites directly inside Brave's private browsing windows, without having to download and install the Tor browser as a separate software package.
This particular feature was introduced back in June 2018.
While most people on the web would browse the surface web, there are a number of people who just love the dark web and anonymous browsing. And Brave's Tor mode is giving them just that.
But in a research, an anonymous security researcher claimed to have found a bug in Brave's Tor mode, which was inadvertently sending user queries for .onion domains to public internet DNS resolvers rather than Tor nodes.
As a result, users' privacy was compromised.
At first, the researcher's findings were disputed.
But soon later, after several prominent security researchers have been able to reproduced his findings, Brave users and Tor users started to worry.
This is because the risks of this kind of DNS leak are big.
Any leaking DNS will create footprints in server logs. For Tor users, this is a big no, considering the nature of the Tor network that should re-routes users' traffic data through Tor nodes for privacy reasons.
"Piping .onion requests through DNS where your ISP or DNS provider can see that you made a request for an .onion site defeats that purpose," wrote the anonymous researcher.
"There isn't any reason for Brave to attempt to resolve a .onion domain through traditional means as it would with a regular clearnet site."
Soon, the Brave team announced a formal fix on Twitter.
Version 1.20.108 is now available (via "About Brave" within the ☰ menu). This update fixes the DNS leak regression in Tor windows, addresses a couple crashing scenarios on macOS, and more.
— Brave Software (@brave) February 20, 2021
The patch was actually made live in the Brave Nightly version following a report made more than two weeks before this.
But because this finding made the bug public, Brave had to push the update to the stable version sooner than later.
As for the bug, it was reported that it was found on Brave's internal ad blocker component.
The ad blocker Brave was using, was running on DNS queries to discover websites attempting to bypass its ad-blocking capabilities, but apparently had forgotten to exclude .onion domains from these checks.
Because of this, accessing .onion websites would be logged by users' ISP or DNS provider, meaning that users' IP address will get logged, compromising privacy, the very thing the Tor network is offering.
The fix Brave introduced added the exclusion, allowing queries for .onion websites to go through Tor nodes, and not anymore through DNS traffic.