The Brave Browser had been detected with a security vulnerability that allowed users to access .onion dark web domains inside Brave private browsing windows using its Tor mode.

Brave’s Tor ‘privacy’ mode:

The particular Brave Tor mode was intended to enhance the privacy of Bave users when accessing the internet. The ‘Private Window with Tor’ embeds the Tor anonymity network into the browser, allowing users to access .onion websites, which are hosted on the darknet, without revealing the IP address information to any kinds of service providers and the websites themselves. 

However, researches conducted by cybersecurity experts detected that the  Brave Tor mode was forwarding queries for .onion domains to public internet DNS resolvers instead of Tor nodes.

Resolvers are servers on the Internet which use the Domain Name System ( DNS ) protocol to fetch data from valid servers and return results to the end-user applications.

Internet service providers(IPS) or Domain Name Systems(DNS) are informed of the requests made by a user’s IP address to any distinct Tor website.

Trackable .onion websites:

DNS requests are inherently unencrypted and hence imply that any request to access .onion sites in the Brave browser can be tracked.

This essentially overthrows the very intention of the privacy mode which was introduced by Brave Browser back in 2018.

This security vulnerability springs from the Brave browser’s ad-blocking feature which it proudly promotes. The feature restricts third-party tracking scripts that use CNAME DNS records to pose as first-party scripts and evade detection by content blockers. A website hence has the ability to veil third-party scripts utilizing sub-domains of the main domain, which are then automatically diverted to a tracking domain.

Patched vulnerability version rolls out:

Brave browser has patched the bug vulnerability in the version release V1.20.108 and was rolled out on February 19.

It turns out that the patch was initially scheduled to roll out in Brave Browser 1.21.x, but as a consequence of public discovery, the company stated that it was pushing it to the stable version of the browser. 

Users are recommended to update their Brave Browsers to the latest version and evade any possible data breaches or thievery.