Brave Web Browser 1.20.108 Is Released With Fix For Major Security Flaw In Private Tor Windows
Several recent version of the Brave Web Browser have had a very unfortunate DNS-leak flaw in the "private" Tor-based browsing feature. The latest version 1.20.208 has a new version of the Chromium core it is based on (88.0.4324.182), a fix for DNS leaks in supposedly "private" web browser windows and two fixes specific to macOS. You should upgrade if you rely on Brave for "private" web browsing or use it to access Tor onion sites.
The "Private Window with Tor" feature in the Brave Web Browser advertises that:
"With Tor, your browsing is also hidden from your ISP or employer, and your IP address is hidden from the sites you visit."
One major problem with that story in several recent version of the Brave Web Browser is that it did, in fact, not hide what sites you visited from "from your ISP or employer" and it would, additionally, also report DNS queries to Google via their DNS servers
Rambler over at ramble.pw reported that previous version of Brave would even send queries for location hidden onion sites on the Tor network to your regular system-configured DNS provider:
"This is especially worrisome for those of you who use Brave browser from your normal residential IP and (for whatever reason) use the Tor feature built into the browser to access Tor sites. Your ISP or DNS provider will know that a request made to a specific Tor site was made by your IP. With Brave, your ISP would know that you accessed somesketchyonionsite.onion."
You should upgrade and ensure that you are using version 1.20.108 or newer if you occasionally use the Brave Web Browser to access Tor onion sites or rely on it's "private" Tor-browsing mode for anything even remotely critical. You can acquire the latest version from brave.com.