Around 60 unknown devices in my sync chain including their bookmarks

Description of the issue:
i followed the instruction to start a new sync chain (Desktop to Android). After scanning the QR Code, there were suddenly more than 60 unknown devices in my sync chain. I now have access to all the other users bookmarks. This is not a joke and I am shocked that something like this can happen. I have screenshots for proof

Steps to Reproduce (add as many as necessary): 1. 2. 3.
go to settings, choose sync, click on “start a new sync chain”, add a mobile device, scan the QR Code with the mobile device

Reproduces how often:

Brave Version(See the About Brave page in the main menu):
Version 1.28.106 Chromium: 92.0.4515.159

Type of devices currently running on the Sync chain in question:
2 of my devices, around 60 unknown devices of other people

Additional Information:
this is really scary, how can i delete this sync chain including all of the bookmarks from my Android device? I cant find that option

2 Likes

It disappoints me very much that there is no reaction for this post. What happend to me is a bad security issue.
That there is no reply let me guess that 1. the developers dont care, 2. they dont believe me or 3. they dont know what was the problem.
So i show you my screenshots now and hope you will believe what i said and get to the bottom of the matter.






or 4. They acknowledge there is a problem, but they have no idea how to fix it…because all they really care for is steady stream of money from revenue

Not sure what is going on.
Can you back up your bookmark as html in one of your computers.
Then leave the key chain, remove all the bookmarks, re-sync with a new key and bring back your stored bookmarks. This way you can get rid of all the sync devices. I checked mine too after seeing yours. I see only my devices. Other than this I do not know what is going on your end.

I can’t try what you recommend. I started the chain with my Laptop and added my Android phone. The other devices and bookmarks only appeared in the phone’s browser, not on my Laptop. It’s like the same chain accidentaly was created multiple times for different users. i am not an expert and i have no idea whether this is even possible, that’s just my guess.
However, I can’t find a way to leave the chain in the settings in the android browser. its a lot of work to delete all the hundreds of bookmarks manually so i guess my only chance is to deinstall the app

Not only you…

Hi all, just registered here to request a feature, but then saw this thread and now I’m considering to completely uninstall Brave. That’s really sad as I was having a great experience in the last couple of months of use.
But this is a really bad security issue, as I’m using Brave to enhanche my privacy, I can’t accept such secuirty bugs exists :frowning:

Please, we need a reply from some core developers to check the validity of this issue and to be more trasparent on what’s going on.

@Maisbier what kind of data can you read from these devices other than bookmarks and browing history? Are password readable? What about these user’s address?

You do not need to delete all bookmarks one by one. Back up your bookmark on laptop as htlm file. Store in your laptop. Then uninstall on phone or come out of sync in phone. After this delete all bookmarks. Then on laptop create new sync chain. Import backed up bookmarks from htlm file. Now sync laptop and then phone.
I am not sure whether this is easy. But I can’t think of any other way.

But like you said, it is possible many had got same key chain accidentally. We had to think that way unless some one from Brave explains what is going on.

Sorry, I am not helpful in this issue other than what I said above.

What is that you try to communicate here?

It’s not so malicious. I do apologize, but we go through hundreds of threads across all our socials every day, thousands per month and sometimes issues slip through the cracks.

This is a very concerning issue and I have reached to the team for more information. I know that it has been a long time but do you still have the device connected to that same Sync chain? If so can you please share a screenshot of your brave://sync-internals page?

Seems as if not enough employees in Brave company ( whatever legal status ). Hire more than.

=======

As per Sync function and this problem:

When user installs Brave for the first time, creates SyncChain, adds devices, than:

  • one device = one entry,

Where is this info ( Sync ) stored? Locally on machine that initialized sync-chain, or on Brave sync-server?

@Maisbier,
Can you also please confirm whether or not you downloaded Brave (on both devices) from the official website (https://brave.com/download)?

is there any possibility that a brave browser creates the same sync chain accidently for two different users or computers?

If you ask me, download source is irrelevant here, since it looks as if ( somehow ) qr-code generation algorithm generated / used already generated QR-code. This also answers question asked by @anujkmr953 in the post #14

1 Like

The security team is investigating this problem.

For @Maisbier and anybody else who is affected, could you please submit a report on https://hackerone.com/brave?type=team&view_policy=true. We’d like to get more information from you but we’d rather not ask for that in a public channel.

1 Like

We believe that we have found the root cause of the issue. It only appears to have affected a small number of users who followed the Sync setup steps incorrectly. We are attempting to notify those users now.

For now, please leave the Sync chain on all devices and restart the sync setup process with a new Sync code. Thank you.

I’m glad to see that finally this critical issue is being worked on professionally and seriously. Thank you Brave team.

Can you please share more details on this? What step wasn’t followed correctly? If possibile you should avoid to sync stuff if the user is doing something incorrectly.

Yes, there are still 32 devices in my chain, some disappeared, some I deleted by myself.
I took a Screenshot, hope it helps

Yes, I always download from official websites. The android app is from official playstore, my phone is not rooted

1 Like