Description of the issue:
i followed the instruction to start a new sync chain (Desktop to Android). After scanning the QR Code, there were suddenly more than 60 unknown devices in my sync chain. I now have access to all the other users bookmarks. This is not a joke and I am shocked that something like this can happen. I have screenshots for proof
Steps to Reproduce (add as many as necessary): 1. 2. 3.
go to settings, choose sync, click on “start a new sync chain”, add a mobile device, scan the QR Code with the mobile device
Reproduces how often:
Brave Version(See the About Brave page in the main menu):
Version 1.28.106 Chromium: 92.0.4515.159
Type of devices currently running on the Sync chain in question:
2 of my devices, around 60 unknown devices of other people
Additional Information:
this is really scary, how can i delete this sync chain including all of the bookmarks from my Android device? I cant find that option
It disappoints me very much that there is no reaction for this post. What happend to me is a bad security issue.
That there is no reply let me guess that 1. the developers dont care, 2. they dont believe me or 3. they dont know what was the problem.
So i show you my screenshots now and hope you will believe what i said and get to the bottom of the matter.
Not sure what is going on.
Can you back up your bookmark as html in one of your computers.
Then leave the key chain, remove all the bookmarks, re-sync with a new key and bring back your stored bookmarks. This way you can get rid of all the sync devices. I checked mine too after seeing yours. I see only my devices. Other than this I do not know what is going on your end.
I can’t try what you recommend. I started the chain with my Laptop and added my Android phone. The other devices and bookmarks only appeared in the phone’s browser, not on my Laptop. It’s like the same chain accidentaly was created multiple times for different users. i am not an expert and i have no idea whether this is even possible, that’s just my guess.
However, I can’t find a way to leave the chain in the settings in the android browser. its a lot of work to delete all the hundreds of bookmarks manually so i guess my only chance is to deinstall the app
Hi all, just registered here to request a feature, but then saw this thread and now I’m considering to completely uninstall Brave. That’s really sad as I was having a great experience in the last couple of months of use.
But this is a really bad security issue, as I’m using Brave to enhanche my privacy, I can’t accept such secuirty bugs exists
Please, we need a reply from some core developers to check the validity of this issue and to be more trasparent on what’s going on.
@Maisbier what kind of data can you read from these devices other than bookmarks and browing history? Are password readable? What about these user’s address?
You do not need to delete all bookmarks one by one. Back up your bookmark on laptop as htlm file. Store in your laptop. Then uninstall on phone or come out of sync in phone. After this delete all bookmarks. Then on laptop create new sync chain. Import backed up bookmarks from htlm file. Now sync laptop and then phone.
I am not sure whether this is easy. But I can’t think of any other way.
But like you said, it is possible many had got same key chain accidentally. We had to think that way unless some one from Brave explains what is going on.
Sorry, I am not helpful in this issue other than what I said above.
It’s not so malicious. I do apologize, but we go through hundreds of threads across all our socials every day, thousands per month and sometimes issues slip through the cracks.
This is a very concerning issue and I have reached to the team for more information. I know that it has been a long time but do you still have the device connected to that same Sync chain? If so can you please share a screenshot of your brave://sync-internals page?
If you ask me, download source is irrelevant here, since it looks as if ( somehow ) qr-code generation algorithm generated / used already generated QR-code. This also answers question asked by @anujkmr953in the post #14
We believe that we have found the root cause of the issue. It only appears to have affected a small number of users who followed the Sync setup steps incorrectly. We are attempting to notify those users now.
For now, please leave the Sync chain on all devices and restart the sync setup process with a new Sync code. Thank you.
I’m glad to see that finally this critical issue is being worked on professionally and seriously. Thank you Brave team.
Can you please share more details on this? What step wasn’t followed correctly? If possibile you should avoid to sync stuff if the user is doing something incorrectly.