Brave is a popular privacy focused web-browser. Founded in 2015, by Brendan Eich, one of the original Mozilla founders, Brave got in the spotlight from day one. Being based on chromium, its main feature is built in advertisement and tracker blocking. Despite that, today the company behind it is in hot water for their approach to privacy.
The Security Flaw
Being privacy focused, brave decided to implement Tor functionality directly into their browser. Simply enable Tor mode, and you are able to browse onion sites anonymously through your normal browser. Most users would expect this feature to be safe, but what they didn't know is that every request they made was being leaked.
About a month ago, on the 13th of January, a user submitted a flaw to Brave's bug bounty program. A flaw was found in the browser that pipes .onion requests through the users DNS. This results in a fingerprint revealing the destination and the IP of the users. To make matters worse, most people use the default DNS provided by their ISP meaning they have direct access to this information.
Despite receiving information about this flaw in mid January, the team behind brave did not rush to fix the issue. About 2 weeks after the team received the information, the first patch was released but was limited only for the beta-version of the browser. The plan was to make the update public on the official release of version 1.21.x, which would have taken at-least 2 more weeks. Hearing this news, the public became outraged and the story picked up some steam. Brave was quick to cover up their tracks, releasing the patch sooner.
Being a privacy focused browser, privacy is something users expected. Brave decided to prove them wrong. Security flaws are expected in almost every piece of software. It's the actions after the flaw is found that dictate your views on privacy. Brave showed its users that privacy is not its top priority. After being aware of the flaw for weeks, the team neglected it and did not even seem to rush, Instead they took their time to fix it.