back to article Brave browser leaks visited Tor .onion addresses in DNS traffic, fix released after bug hunter raises alarm

Brave has patched up its privacy-focused web browser after it was spotted leaking its Tor users' dark-web habits. The browser has a built-in Tor mode, allowing folks to easily and anonymously surf the dark-web network. However, this code started spilling over the open internet the .onion domains visited by the browser to …

  1. Anonymous Coward
    Anonymous Coward

    Holy crap, how did I not notice the 'new private window with tor' option until now? That's awesome!

    ...well, assuming it works... ;)

    1. NonSSL-Login

      Its been there a good few months.

      Considering how well the Tor browser goes to avoid fingerprintable data to be sent, down to things like the window size, I did wonder if Brave sends its Own UserAgent and other info which would make it stand out like a sore thumb on the Tor network,.

      1. Anonymous Coward
        Anonymous Coward

        good question. I wonder. I don't think either answer would surprise me.

  2. Anonymous South African Coward Bronze badge

    The Reg checked with Kia, and the answer was pretty unequivocal: “We are aware of online speculation that Kia is subject to a ransomware attack," a spokesperson told us. "At this time, and based on the best and most current information, we can confirm that we have no evidence that Kia or any Kia data is subject to a ransomware attack."

    Then what else could it be?

    The other alternative explanation could be that their IT infra was not up to standards, and something borked, taking out a whole load of services.

    “We are learning about these new attacks, some coming from states as part of new conflicts between nations, others coming from mafias,” Macron said in a briefing on Thursday, adding that ANSSI would need support from other countries to beat the ransomware scourge.

    The only way to stop these kind of attacks is to identify the ne'er-do-wells 100%, then go and have a nice talk with them, taking a baseballl bat with, and performing some percussion maintenance on the ne'er-do-wells kneecaps as well as any and sundry computer equipment.

    Or disconnect completely from the Internet.

    Yigitali Ercan, 33, of Philadelphia, was charged with second degree computer hacking after his former bosses told police Ercan had entered the company's computer systems illegally after leaving and made changes to the corporate website. A day later the company was hit by ransomware that encrypted files for extortion.

    Probably a wannabe BOFH, or somebody in the company got careless with security?

    1. Claptrap314 Silver badge

      Who says this was a security incident at all?

      I was at Google as an SRE, 2015-2016. Come Christmas, we did an "configuration slush"--no configuration changes unless it was to fix a current, live problem.

      OMGs dropped 80%. Every year.

      That's at a place I would consider to be healthy.

      We are are own worst enemies. No outside help is needed.

  3. sreynolds

    Meh, I never wear two condoms... But

    I never trust any app. Not even the linux kernel. I don't have anything to hide, but it really annoyed me when, in my opinion one of my former employers tried to spy on me.

    So to keep the attack surface small shy would you not run tor with two separate boxes with firewall rules ensuring traffic goes where you want? When will the kiddie fiddlers learn. Hopefully never.

  4. Anonymous Coward
    Anonymous Coward

    Google Webview

    OMG Brave leaks urls via DNS queries..... just a short reminder: that Google's Chrome Webview embed you see in loads of apps? That's phoning home to Google with usage data including urls. Most of those apps will not know they have to opt-out of that snooping, and they certainly didn't get their users permission for Google to opt them in by default on their behalf.

    https://developer.android.com/guide/webapps/webview-privacy

    1. A.P. Veening Silver badge

      Re: Google Webview

      That is a clear GDPR violation and I am sure the fines will follow in due time.

      1. Claptrap314 Silver badge
        Pint

        Re: Google Webview

        "In due time"... -->

        Heat death of the Universe, then...

  5. Gene Cash Silver badge

    "no evidence that Kia is subject to a ransomware attack"

    There's tons of other attacks that could be going on, and probably are, since they weasel-worded it this way.

  6. Anonymous Coward
    Anonymous Coward

    Reminder: https://www.theregister.com/2014/11/07/euro_cyber_cops_darknet_arrests/

    Tor browsing is no more than privacy through obfuscation.

    I am well aware there are perfectly sound and honorable reasons for using TOR.

    However, I'm delighted when peadophiles, drug dealers, and contract killers are exposed and prosecuted.

    In addition I am sure criminals themselves gather and utilize information about who is using TOR for what,

    because TOR users are more >likely< to be excellent targets for crime - bitcoin, extortion, etc.

    1. MrReynolds2U

      Tor was originally developed as a secure method for US intelligence communication - a different type of ne'er-do-well, if you like. So I get really annoyed when people make out it's solely a tool for criminals.

      Tor is primarily a tool for the security-conscious. Given that using a regular browser is tantamount to being followed 24/7 by Google et al, I completely understand Tor usage for normal (non-criminal) Internet users. The same could be said of Telegram and Proton Mail.

      Unfortunately, if I was dragged in front of a court tomorrow and the prosecution stated that I used Tor online, that revelation in itself would put the balance of doubt against me, which is a ridiculous situation.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like