Brave Browser Leaks Privacy Info – It Leaks Local Information (IP Address or Lang) to Google and Youtube Over VPN Whereas FireFox Does Not

Description of the issue:
Firstly, I am a big fan of Brave browser because of the bold Privacy Protection claim it offers. But since last few months I’ve been facing a privacy issue with it and it still continues. Let me explain:

Whenever I use a Brave browser with a VPN service and surf Youtube and Google, to do some research for my business or work related:

  1. Youtube (offer local result in auto-suggestion) and also shows me on a result page: A result which has maximum videos in my local language instead of result of the country which is selected in a VPN software.

  2. And Google: It also (offer result in auto-suggestion in local language) and shows on a result page: A result which is in my local language instead of showing me the result of that country which I selected in VPN.

For me its a serious issue because it’s privacy breach issue… :frowning_face:

Initially when it happened I thought there may be something wrong with a VPN so I switched to Premium VPN service like:

  1. Initially I started using a few small low cost VPN services then switched to these real premium services:

  2. AVG Secure VPN

But problem didn’t resolve so I bought another VPN service:

  1. F-Secure FREEDOME VPN and then bought:

  2. Avira Phantom PRO VPN

But unfortunately problem still exist so finally I paid hefty amount to:

  1. NordVPN

And STILL when I surf Youtube and Google using Brave browser it shows mix result in a Local Language and in English so I gave a try to Firefox (unwillingly) and

Fortunately when I used Firefox with any of these Premium VPN services which I mentioned above and surfed Youtube and Google they did not show me result in my local language, rather they showed me The Result me in that country which I selected in VPN software.

I did this testing over and over again which proved me that Brave Browser do have an issue which leaks Private Information in terms of: either local IP address or local language name or something (which I don’t know) etc… which tells Youtube and Google that the person who is surfing is from which country instead of the country selected in VPN.

I do want to mention when I see surf via Brave using vpn then at the bottom of the Google it does show the country which I selected in VPN but still Google shows me a pretty dominant result in my local language (mix result of local language and English result) whereas while using Firefox Google shows pure result of that country which I selected in VPN.

I don’t prefer to use Firefox because for privacy: we need to rely on Plugins and many times it happened in past as soon as I updated FF, the plugins which I used for privacy protection they weren’t compatible with a new version so FF disabled them on its own and now all privacy is gone and I was stuck and the work was stopped so in this scenario I was looking for a solution and Brave Browser came in the picture :slight_smile: with an assurance: it protects privacy (with in built privacy protection) but I didn’t know this is how it protects by leaking local information.

Google (their analytics and other services) they are the biggest silent spywares and I know brave is built on Chrome but still I trusted Brave because of bold claims of Privacy Protection.

I’m sure you won’t play with users trust so I taken time to share this issue in the hope that someone over here will fix the issue.

How can this issue be reproduced?

  1. You can yourself use the above mentioned VPN services using Brave browser and then repeat the same process using Firefox on desktop.

Expected result:
Brave browser should respect the privacy and do not leak local information like IP address or language or something which tells google and youtube that person is from this or that country especially when a user is using VPN services.

Brave Version( check About Brave):
Version 1.1.20 Chromium: 79.0.3945.74 (Official Build) (64-bit)

Additional Information:
BTW I use Windows 10 64bit
and use Brave on my desktop
and only use vpn software at network level so that all data is routed through vpn

Apart from that I also taken these actions to protect privacy in Win 10:

  1. I change my IP address before and after using VPN to stop tracking & I don’t use gmail
  2. I use a separate Brave profile for VPN surfing and only use it over VPN
  3. I use DNS leak protection
  4. I disabled Teredo in windows
  5. I turned off IPv6 Support in Windows 10 to prevent leaking
  6. I also disabled the smart multi-homed name resolution

Still Brave browser leaks local info which is not acceptable.

I’m here to provide any other info which you want from my side to fix the privacy leak issue in Brave Browser because I don’t want to switch to Firefox and want to stick to Brave.

Brave does not leak anything. However Brave transmits header information to the server you are visiting. Part of the header information are language settings. This is normal and an expected behavior.

Some browsers (FireFox and others) will give you the ability to edit header information. Brave does not. But this has nothing to do with the leak of any sensitive information. You can edit your language settings in the Brave settings if you want to change them.

This is not about Headers, lets me share:

Ever since I installed Brave the default language is English (US) please see the screenshot:

Secondly here is the Headers information which I got with a help of a free site:

|HTTP Header*|Value|

|—|---|

|Accept| text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9|

|Accept-Encoding| gzip|

|Accept-Language| en-US,en;q=0.9|

|Dnt| 1|

|Upgrade-Insecure-Requests| 1|

|User-Agent| Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.79 Safari/537.36|

As you can see above: in ‘Headers’ the Accept Language is en-US which is English. I didn’t create this post for fun I know what I’m talking about. By creating this post I want to bring this issue in front of community so that it should be resolved and we can continue using Brave.

Thirdly, I didn’t not set any Special language in Firefox. The same English language is set in Firefox just like Brave, nor I modified anything in Firefox.

As you said:

“Brave does not leak anything…………….
………But this has nothing to do with the leak of any sensitive information…………”

I’m not after that Brave “does” leak personal information what I’m trying to say is there is something wrong with it. It says it protects privacy but it may have a flaw which leaks your location or local language etc… through that Google, YouTube, comes to know where are you from and whats your local language. Based on my analysis I found that Yes something is wrong with Brave or in other words it does leak some kind of information which let these Grand spy Google, YT come to know your local language or actual location while using VPN.

I’m not sure if I understand you correctlly. You have set Brave to be displayed in English. Is this correct? If so, it is an expected behavior for Brave to put your chosen language in the headers or meta data that it will send out every time you request a webpage.

Hello, there seems to be 2 claims in this post.

  1. Brave doesn’t change the Accept-Language header when a user switches to VPN, whereas Firefox apparently does?
  2. Brave leaks true IP over VPN

(1) is expected, though we could potentially change it. (2) is something that I’m not aware of - do you mean public IP address or the internal IP address? If you’re worried about internal IP leak, you can change the WebRTC setting in brave://settings. https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc

3 Likes

Regarding internal IP addresses: Since WebRTC cannot be effectively blocked in Chromium based browsers it will always be leaked. Extensions can probably help with that. Flag settings can however not effectively prevent internal IP address leaking.

Brave is not to blame but the Chromium devs who refuse to implement necessary changes to the code.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.