A privacy bug in the Brave Browser caused the leak of the Tor onion URL addresses visited in the Tor mode by the users.

A bug in the Private Window with Tor implemented in the Brave web browser could reveal the onion sites visited by the users.

The Tor mode implemented in the Brave web browser allows users to access .onion sites inside Brave private browsing windows.

When users are inside a Private Window with Tor, Brave doesn’t connect directly to a website, instead, it connects to a chain of three different computers in the Tor network.

An anonymous researcher initially reported that the Brave’s Tor mode was sending queries for .onion domains to public internet DNS resolvers, other experts confirmed his findings.

“If you’re using Brave you probably use it because you expect a certain level of privacy/anonymity. Piping .onion requests through DNS where your ISP or DNS provider can see that you made a request for an .onion site defeats that purpose.” explained the researcher. “Anyhow, it was reported by a partner that Brave was leaking DNS requests for onion sites and I was able to confirm it at the time.”