fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Brave Privacy Bug Exposes Tor Onion URLs To Your DNS Provider

Brave Privacy Bug Exposes Tor Onion URLs To Your DNS Provider

Brave Browser is fixing a privacy issue that leaks the Tor onion URL addresses you visit to your locally configured DNS server, exposing the dark web websites you visit.

Brave is Chromium-based browser that has been modified with privacy in mind, including a built-in ad blocker, tight data controls, and a built-in Tor browser mode to browse the web anonymously.

Websites located on Tor use onion URL addresses that users can only access through the Tor network. For example, DuckDuckGo’s Tor address is https://3g2upl4pq6kufc4m.onion/ and the New York Time’s address is https://www.nytimes3xbfgragh.onion/.

To access Tor onion URLs, Brave added a ‘Private Window with Tor‘ mode that acts as a proxy to the Tor network. When you attempt to connect to an onion URL, your request is proxied through volunteer-run Tor nodes who make the request for you and send back the returned HTML.

Brave’s Private Windows with Tor browsing mode

Due to this proxy implementation, Brave’s Tor mode does not directly provide the same level of privacy as using the Tor Browser.

Also Read: The Scope Of Singapore Privacy: How We Use It In A Right Way

Brave’s leaks Tor DNS requests

When using Brave’s Tor mode, it should forward all requests to the Tor proxies and not send any information to any non-Tor Internet devices to increase privacy.

However, a bug in Brave’s ‘Private window with Tor’ mode is causing the onion URL for any Tor address you visit to also be sent as a standard DNS query to your machine’s configured DNS server.

This bug was first reported in a Reddit post and later confirmed by James Kettle, the Director of Research at PortSwigger.

BleepingComputer has also verified the claims by using Wireshark to view DNS traffic while using Brave’s Tor mode.

As you can see in the video below, when visiting the DuckDuckGo and NY Times’ onion URLs in Brave’s Tor browser mode, the browser also performed DNS queries to our locally configured DNS server, Google’s public servers at IP address 8.8.8.8.

Brave is aware of this bug as it was reported on their GitHub project page eighteen days ago, and developers have already created a fix.

This issue is caused by Brave’s CNAME decloaking ad-blocking feature that blocks third-party tracking scripts that use CNAME DNS records to impersonate a first-party script.

To prevent Tor URLs from being sent to configured DNS servers, Brave has disabled the CNAME adblocking feature when in the Tor browsing mode.

“Per discussion on slack with @bridiver and @iefremov, we came to a conclusion that disabling CNAME adblock for Tor would be best option now. Considering in order to make DoH route through Tor, we need to remove LOAD_BYPASS_PROXY for dns transaction but it might introduce dns and proxy code looping when we need to resolve proxy name,” the Brave developers explained in the reported issue.

This fix was originally expected to roll out in the Brave Browser Beta 1.21.x but Brave Browser developer Yan Zhu tweeted that a hotfix will be uplifted to the next Stable version.

Also Read: Deemed Consent PDPA: How Do Businesses Comply?

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us