Brave Automatically Redirecting User to Vendor Site (Possible Security Hole)

Description of the issue:
I typically keep Brave open with a large number of ordered tabs, each with a different site that I frequently use. Starting 1/4/2021, different Brave tabs would occasionally and unexpectedly redirect to zaful dot com. This happened in (at least) 3 different tabs: Twitter, eBay, and MeWe.

Steps to Reproduce (add as many as necessary): 1. 2. 3.
Either:

  1. open a new tab and type in “ebay.com” in the URL field
  2. in an existing tab, click the refresh button
  3. the existing site refreshes itself (this happened over night once – in the morning, the MeWe tab had been overlaid with zaful dot com)

Actual Result (gifs and screenshots are welcome!):
In each case, the browser automatically redirected to zaful dot com.

Expected result:
The site that I intended to be on should be loaded.

Reproduces how often:
Appears to happen every 4 or so hours. Maybe less often. Wasn’t fully predictable.

Operating System and Brave Version(See the About Brave page in the main menu):
MacOS Mojave
Brave 1.18.78

Additional Information:
Rooting around in the Brave data directory revealed the following code in the Brave Preferences file:

“web_apps”:{“daily_metrics”:{“https://community.brave.com/":{“background_duration_sec”:0,“effective_display_mode”:3,“foreground_duration_sec”:0,“installed”:false,“num_sessions”:0,“promotable”:true},“https://open.spotify.com/?utm_source=pwa_install”:{“background_duration_sec”:0,“effective_display_mode”:3,“foreground_duration_sec”:0,“installed”:false,“num_sessions”:0,“promotable”:true},“https://twitter.com/?utm_source=homescreen&utm_medium=shortcut”:{“background_duration_sec”:0,“effective_display_mode”:3,“foreground_duration_sec”:0,“installed”:false,“num_sessions”:0,“promotable”:true},“https://www.google.com/maps?force=tt&source=ttpwa”:{“background_duration_sec”:0,“effective_display_mode”:3,“foreground_duration_sec”:0,“installed”:false,“num_sessions”:0,“promotable”:true},“https://www.tiktok.com/foryou?from=sw”:{“background_duration_sec”:0,“effective_display_mode”:2,“foreground_duration_sec”:0,“installed”:false,“num_sessions”:0,“promotable”:true},“https://www.zaful.com/?from=screen&utm_source=pwa”:{“background_duration_sec”:0,“effective_display_mode”:3,“foreground_duration_sec”:0,“installed”:false,“num_sessions”:0,"promotable”:true}},

I used the Brave reset settings function, but that did not remove these entries. When I manually deleted the entry for zaful dot com from this list, the problem stopped happening.

I am not fully sure what this section of the Preferences is, but I suspect it’s something that lets 3rd parties run something periodically to collect metrics, even when you aren’t visiting their site. If this is the case, this is 1) a serious privacy violation and 2) a loophole that appears to allow sites to persist and without authorization, push Brave users to a desired site. Some might consider this “malware”. I do.

Note that Malwarebytes and several other tools did not find this. They reported no problems.

Unable to replicate this, opening a new ebay tab while refreshing another tab. I had no issues here. Would recommend also temp disabling Malware web protection, in case this is causing issues

Did you add the link in the daily_metrics? If you do not, it won’t happen. Also, it happens infrequently. You may have to wait a good while to see the behavior.

I don’t normally modify my preferences file, but will check it out

OK. To be clear, I didn’t modify my preferences. Something put that entry in there. It’s when I deleted the entry that the bad behavior stopped. But of course to test, you would have to put the entry in yours, at least in a test environment.

Maybe caused by extension, @akaGeekgirl?

The only extension I run is SocialFixer which is a Facebook thing. Does anyone know enough about the code to know what this block is used for and how entries get in there. I deleted the entire block and after visiting a few sites (e.g., Twitter and Spotify), they had added stuff in there.

My hypothesis is that this vendor site was presented as a 3rd party ad on some page I frequent and I accidentally clicked on it. Then it added an entry for itself which allowed it to keep running in my browser and overload pages at will. I don’t know this for a fact. But, if that’s possible, is that not a security issue?

Would suggest you to try disable this first. Just in case. 🤷

I did. Didn’t do anything. I also tried resetting the settings. That didn’t work. I recursively grepped all the files in the Brave directory for “zaful”, and with the exception of the history and cache, this was the only file that had any reference to that site. Clearing the history and cache didn’t fix it. The only thing that made this stop was to delete those entries in the Preferences file.

Just testing the string, doesn’t seem to be valid json.

The “” seems to be incorrect for a start

Tested via https://jsonlint.com/

This string is a slice out of valid json. I just copied from the Preferences file json and pasted here. I think you’d have to take the daily_metrics section and paste it into the web_apps section in your Preferences file json. If you have an existing daily_metrics section, you might be able to just copy the zaful entry and add it in.

I have a saved copy of the bad Preferences file. I’ll tried uploading a sanitized copy (which I verified IS valid json), but this system says I cannot upload files because I’m a new user. I don’t know how I am supposed to get it to you.

Here’s a Dropbox link to the file. https://www.dropbox.com/s/icc2b8767c00zbx/Preferences.sanitized.txt?dl=0

Where is this file located in Windows 10? I’d like to check mine too.

I’m not really sure as I’m not a Windows 10 user. I found this:

You can try looking in the hidden AppData folder under the user’s home directory. You’d probably have to use a cmd prompt to get there since it is hidden.

Maybe someone else can help with this?