Brave browser acts quickly to resolve Tor session confidentiality bug

Feature did not sufficiently anonymize private browsing sessions

Developers at alternative privacy-focused browser Brave have been praised for quickly resolving a potentially troublesome privacy flaw.

Security researcher sick.codes found that the Brave private window (incognito) feature with Tor does not sufficiently anonymize users visiting Brave’s partner websites such as Binance and Coinbase.

On further digging, the same researcher discovered that Brave generated a folder during Tor sessions that it failed to delete at the end of private browsing sessions.

“After the user ends the Tor session, the data is not cleared and users should be aware that the Tor feature of Brave browser is not secure as intended and the browser can leak, or send usage statistics, of critical information to their partner websites that could be used by an attacker to triangulate a user,” the security researcher warned in an email to Brave.

Brave developer Yan Zhu responded promptly to the warning by developing a fix, which has been incorporated into the pre-mainstream release (nightly) version of the browser.

Brave 1.18.27 and below are affected.

The mainstream version is yet to be patched to resolve the security flaw.

Peeling back the Onion

The issues were uncovered after sick.codes examined a transient session information file called “Local State”.

“[Zhu} @bcrypt confirmed that the metric core_p3a_metrics that I discovered in Local State was overlogging,” the security researcher told The Daily Swig.

The issue creates the potential to violate the confidentiality of a user’s Tor session, but only to a local attacker since the vulnerability fails to lend itself to remote exploitation.

The security researcher earned $100 for his finding, more details on which can be found in a write up.

Sick (sick.codes) only began looking into the issue after he was confronted with an annoying pop-up ad for a crypto-currency site.

“Tor has been in Brave for two years, which makes me wonder why no-one had found all the Tor logging [before],” Sick told The Daily Swig. “[The} Brave security team though were really responsive."

A post on HackerOne offers additional information and context.

A vulnerability in the Brave Browser allows an attacker to view the last time a Tor session was used in incognito mode.

A local, on-disk attacker could read the Brave Browser’s ‘Local State’ json file and identify the last time a Tor session was used, affecting the confidentiality of a user’s Tor session.

For example, the ‘Local State’ file of a user who has recently used a Tor session would list a key value pair with a timestamp as accurate as ‘13248493693576042’.

This allows an attacker to fingerprint, or prove beyond reasonable doubt, that a user was using Tor at that very specific moment in time.

Brave is an open source browser built using Chromium. It boasts 20 million monthly active users.

RELATED HTTP/3: Everything you always wanted to know about the next-generation web protocol