Privacy bug in Brave browser leaks Tor-Onion URLs to DNS provider

[German]Brave browser have had a bug in the privacy mode, so that the leaked all Tor-Onion URLs in Privat Windows with Tor mode to the DNS provider. However, the developers seem to have corrected this bug in the meantime.


Brave is a Chromium-based browser that has been modified with privacy in mind. This includes a built-in ad blocker, strict data controls and a built-in Tor browser mode for anonymous web browsing. Websites on the Tor network use special onion URL addresses of the type https://3g2upl4pq6kufc4m.onion/ (DuckDuckGo), which users can only access through the Tor network. To access Tor onion URLs, Brave has provided a "Private Window with Tor" mode that acts as a proxy for the Tor network. Brave writes about this:

When you are in a private window with Tor, Brave does not connect directly to a website as usual. Instead, you connect to a chain of three different computers on the volunteer-run Tor network, one after the other, and only then to the web page you are visiting. Between those three Tor computers, only one really knows where the connection is coming from, and only one really knows where it's going. And those two don't even talk to each other because there's another computer in the middle!

So when trying to connect to an Onion URL, the request is routed through volunteer Tor nodes. These perform the request and send back the returned HTML. From the perspective of the visited web pages, the connection comes from the last Tor computer, which acts as an exit node. Web sites do not learn the real IP address, but they can see that the connection is obfuscated by Tor (Tor nodes are not secret). In addition, the connection over many Tor relays is slow. Brave promises:

Your ISP, your employer, or the owner of the WiFi network you're connected to won't see what sites you're visiting either, because Brave doesn't connect directly to the site. Instead, someone watching your network connection will only see that you are connecting to the Tor network. Some network owners try to block connections to the Tor network because they want to decide which sites you can visit. With Tor, you can bypass this blocking.

Now someone has discovered that the Brave browser is giving away private Tor-Onion addresses through DNS queries. The link to this post was then shared on, as Bleeping Computer notes here. James Kettle, Director of Research at UK provider PortSwigger, confirmed this in this tweet.

Brave Browser Tor onion DNS Leak

Security researcher Will Dormann also confirmed this bug in another tweet and posted the recording of the DNS sent. 


Brave Browser Tor onion DNS Leak

James Kettle says, that the Brave developers were probably already aware of the problem, but had not yet fixed it with an update. Bleeping Computer linked to this Github page describing the bug in their article. Disabling CNAME Adblock for Tor would prevent the browser from sending DoH or standard DNS requests that are not routed through Tor. A hotfix was already planned for 1.21.x and in beta testing. Was then converted to stable. Here's the tweet where someone confirms it:

Brave Browser Tor DNS leak fix

Bleeping Computer has put together some more details in this article. The problem is probably fixed for now. Also Catalin Cimpanu has compiled some details at ZDNet.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *