Brave Browser WebRTC leak, fingerprinting issues and general security

performance

#1

Did some testing with TAP VPN services and other browsers.

Brave while claiming to be a secure browser is very insecure. It does not permit a user to disable web-rtc, and it is completely vulnerable to web-rtc.

When connected through a TAP VPN brave browser leaks:
Both local IP addresses
Both External ipv4 && ipv6 addresses
The local DNS server

When connected through a hardware VPN (only “out” for the whole network)
Brave still leaks both local Ip addresses (VPN & NAT’d)

As for its main claim of protecting user privacy the above fault completely FAILS that claim as this browser EXPOSES the user.

Furthermore a vanilla installation fullscreened on a 1080p monitor does not perform any better than chrome or firefox when eff’s panopticlick fingerprinting test is run on it. The browser does not protect from unique fingerprinting even though absolutely no configurations have changed.

This browser, right now, does not a leg to stand on, if you value privacy use a more mainstream browser with HTTPS Everywhere, Ublock Origin installed and WEBRTC disabled. If you care about anonymity use tor’s browser.

As a security researcher i’d actually consider this browser to be malware if i located it in a secure environment because in addition to the above it comes pre-loaded with 3rd-party password manager’s which are insecure by definition and the inbuilt password manager is a literal joke as it doesnt even allow you to password protect (secure) the saved passwords and stores them plaintext.

edit: To clarify, the same VPN services brave leaks data with do NOT leak AT ALL in firefox or internet explorer.


#2

Hi @BrowserIsBad,

Thanks for reporting. Can you also give more info:

What sites that you used to test this?
What is your shields settings (lion icon at top right)?
Your Brave version?
Your OS?

Also, this thread How do I turn on Browser Fingerprinting Protection and make sure that it's working? and this one All About Fingerprinting Protection Mode maybe can help answer.

Also cc @kamil and @LaurenWags for visibility.
:slight_smile:


#3

Fingerprinting: http://panopticlick.eff.org/ - unique signature even though no changes have been made & according to your link fingerprinting protection is on by default, this is probably intentional as to how brave works regarding this. You’re “unique” but always unique so you cant be followed as oppossed to just looking like other people.

WebRTC Test: https://browserleaks.com/webrtc - shows both VPN IP and Local IP (firefox passes this)
DNS Leak Test: dnsleaktest .com - extended test - leaks that im using google DNS even though the VPN resolves with its own servers
IP Leak Test: ipleak .net -no leaks
Brave Version: Latest at time (0.21.24) all default settings, all shields except script enabled.
OS: Windows 10

Upon restarting the computer after the brave browser was installed it still leaks DNS through VPN and leaks everything through WEBRTC.

The Webrtc leak alone honestly is bad enough as it actually exposes your ip through a vpn.
Apologies for broken links, posting rule.

Worth mentioning the VPN used is always NordVPN, but different setup methods.
Both setups leak when using brave. (TAP driver installation && hardware setup in DDWRT which genuinely confuses me)


#4

I’m also very concerned about the WebRTC IP address leak. I’ve tried Brave using each of VyprVPN and ProtonVPN on Windows 10 and they both leak according to doileak.com. As Brave appears to be based on Chromium, it ought to be possible to correct this. There is an extension for Chrome that solves this problem. Its name is WebRTC Leak Prevent. Please would the Brave devs check this out? From my point of view, this is a dealbreaker.


#5

@BrowserIsBad @spinon the team is working for option to disable WebRTC

Best,
:slight_smile:


#6

That is very reassuring. Thanks. :blush:

spinon


#7

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.