On 22 July 2020, we were alerted by user hihouhou on HackerOne that the full logs exported from brave://rewards-internals on Brave Desktop (all versions) and Android (Beta/Nightly only) contained an Uphold OAuth token. An attacker with access to this token would be able to transfer up to 250 BAT from the victim’s Uphold wallet. These logs are only stored locally by default, but in some instances, the Brave Support team asked users to send these logs privately to the Support team for debugging purposes. As far as we know, the token has never been used maliciously.
Upon verifying this issue, the Brave team stopped asking for these logs and deleted all DMs from users which contained rewards-internals logs. Logs that were temporarily stored on Brave employees’ computers for debugging were also deleted. On July 24, Brave Desktop 1.11.101 was released with a fix to remove the token from the logs. On July 30, Android 1.11.105 was released with the fix. We also asked Uphold to invalidate all existing OAuth tokens for Brave Browser, which they did on 27 July 2020.
On 16 August 2020, hihouhou alerted us that there was another case in which the Uphold OAuth token would be logged. The Brave Support team had not asked for Rewards logs since the first security incident, and we verified that no logs had been sent to us since Uphold revoked all the tokens on 27 July 2020. Thus, this issue had no real impact on users as far as we know. Nonetheless, the fix for this was released on desktop in Brave 1.12.114 and in Android 1.13.
As a defense in depth measure, we disabled logging by default in the 1.13 release and deleted existing logs for users for whom Rewards is enabled at the time of the upgrade to 1.13.82. Moving forward, we will make sure that logged fields are comprehensively audited before re-enabling logging. Until then, Support will not ask for Rewards logs.
If you think your logs may have been exposed after 27 July 2020 when Uphold invalidated all existing OAuth tokens, you can safely revoke your existing token and get a new one by doing the following:
Login to your Uphold account and click on Settings > Applications > Authorized Applications.
Click on “Brave Browser” and then click “Remove.”
In Brave Desktop, navigate to brave://rewards. It should show that your wallet is disconnected. Click on Disconnected > Login and enter your Uphold credentials to re-authorize Brave.
We would like to thank hihouhou for alerting us to these important issues. We encourage all security researchers to participate in our Bug Bounty program.