Brave Potential Security Issue with Brave Identified - changed Characters in URL

#1

Description

When copying and pasting a link from one platform to another in this case from bitrix24 platform to the chrome browser the link changes, but the change cannot be seen in the brave browser, it can only be seen by copying the url from the brave browser and inputting it either into another text based document or in the google chrome url.

Example this url was copied (partially shown) and the original was like this (XXX = Characters removed for my security)

https://docs.google.com/document/d/XXXXXXXXX_JTa0C5hjKtIbugDdOTP0RL8uZwMA/edit

When I paste into the browser it looks exactly as it does above, but I get an error on the web page from google docs saying the document cannot be found.

As can be seen in this link. https://www.screencast.com/t/xYUhTwxxM

But on the brave browser the characters match exactly with the source copy. So i decided to copy and past the link that i pasted in the chrome browser to a text base area and this is what I got

https://docs.google.com/document/d/XXXXXXXX_JTa0C5hjKtIbugDdOTP0RL8uZwMA/­edit?usp=sharing

So somehow [%C2%ADedit] got inserted into the link!!! That is not just the disturbing part. The disturbing part is that Brave does not pick this up, alert to the change or show it in the address bar!!!

This is very unsettling with the prospect of sending wallet keys for transferring coins across the blockchain. PLEASE LOOK INTO THIS QUICKLY!! 911

Steps to Reproduce

  1. Create a google docs link
  2. Copy and paste the link and create a url clickable link with it
  3. Copy the url to the brave url, and it should give you an error
  4. Then copy the url back to another word / text base file or note pad.

Actual Result (gifs and screenshots are welcome!):

Expected result:

Error as seen above

Reproduces how often:

40%

Brave Version(about:brave):
Version 0.60.45 Chromium: 72.0.3626.109 (Official Build) (64-bit)
Reproducible on current live release (yes/no):
Yes
Additional Information:
Basically you want to copy from an environment or not even copy but click from here https://www.screencast.com/t/ZxKxkQ93q which is what i did and the errors came up from clicking from the source document while opening a new page in a new tab

Anyone using crypto should be very concerned about this

0 Likes