Brave sync security breach

Hi Community Brave,

I sync Brave browsers with 2 PC using my 12 words brave password.

It works fine, but I have a severe security breach now.

In each PC, in the brave sync tab, by simply clicking into the « View sync Code » button, it is fully open and everyone can see my 12 words brave password

How can I fix this security breach ?

Thank you

1 Like

Simply not leaving your devices unattended should be fine

This is a major security breach. Brave even mentions in « https://brave.com/learn/wallet-recovery-phrase/ » …. STORE IT IN A SAFE DEPOSIT BOX »….

Brave takes this very seriously. This is like having access to your bank account.

It’s a major security breach that in the brave sync tab, by simply clicking into the « View sync Code » button, anyone can see the « 12 words brave recovery phrase password ».

There is certainly a way to hide the « 12 words brave recovery phrase password ».

@jerome3 Your computer should always be locked when you’re not at the computer. If it’s kept secure, then nobody would be able to go to those the sync tab to see the information. Just like in your browser, if you go to Settings and then type in Passwords, you can see every website and password you’ve saved in your browser. But that can only be accessed if you leave it open and others use it.

The reason why you’re being told to keep it in a safe or something of the sort is so if your computer ever stops working and you can no longer view it, you are able to recover all your data and money. Otherwise you’d be crap out of luck and would have to start over completely. Thus you keep the info stored safely in a location where nobody can take it and add themselves to your chain, where they would then be able to access your information.

So keep in mind, letting someone use your computer or leaving it on and unattended is like leaving the door to your home unlocked and open, allowing anyone to come see and take all of the things you have stashed. Please use common sense and take responsibility for securing your property.

1 Like

Actually, not sure when it changed, but I see now on both Desktop and Android, you have to input your device password in order to access the saved passwords (I used to look regularly, but maybe I just had somehow found a bypass). It will still show the websites and your usernames though. So I get it, you’re saying the same way they require you to input your device passwords to see that, so too would you like to see that extra layer of protection for your sync code.

I still am saying that the purpose of locking it up somewhere else is so if your device is ever lost, damaged, or stolen you can recover it. But at the same time, I get what you’re saying of why it just lets people see the code or add themselves to your sync without requiring that extra layer of protection as they give to the password manager and all. Especially since that sync chain would include all your saved passwords and all.

Just my advice, but maybe work on the phrasing. The way yours comes across is like saying you’ve left your house unlocked but then you’re blaming others for the idea that someone saw your checkbook on your desk. There is some level of responsibility and control, but I get now that you’re trying to say you expected a lock to be on your filing cabinet and that without that lock there, you don’t feel as safe and you’re hoping they can create a lock for it.

1 Like

Thanks @Saoiray for your excellent explanation. I don’t have much to add, but I want to restate some of the points you have made.

There are two separate things here:

  1. Backing up your crypto wallet and storing the paper copy of the key in a safe place.
  2. Keeping your local passwords safe even when using Brave Sync.

The first point is is to protect against the loss of your funds, should your computer go missing or break down, etc. Of course, this copy of the key must be kept secret because it allows anybody to have access to your fund.

The Sync code is not a backup and it’s not designed to help in case you lose access to your computer. Instead, it’s to make it possible to share your bookmarks and passwords across all of your devices without making them visible to Brave (they are end-to-end encrypted).

In both cases, the crypto wallet or the passwords saved in Brave, you need to make sure that your computer is secured. If someone has access to your computer (for example, it’s left logged in and unlocked without a screen saver password), then anybody could come in and view your passwords inside the browser. Similarly, that person using your computer without your permission could install software to copy the relevant files to a USB stick and then steal your data/funds later. Or, as you point out, they could steal your Sync QR code and sync your data to their computer later.

Brave cannot effectively protect against all of these attacks because in order for the password manager to work and fill-in your passwords for you, it needs to have the passwords available somewhere in memory. Some users make use of third-party password managers which require the use of a master password each time a password is filled in. That helps protect the passwords to some extent, but if someone else can use your computer without your permission, they could also install a key logger, or steal your session cookies. At the end of the day, users need to take steps to secure their computers against what is usually called “physical” attacks (someone physically using your computer). Full-disk encryption and screen saver passwords are highly recommended. Logging out and shutting down your computer when not in use are also good habits.

We do take our users’ security seriously and that’s why we want to be careful not to give users a false sense of security. Hiding the Sync key in the user interface for example, would hide the fact that it’s still available in memory because the browser needs it to keep syncing with other devices.

I hope this helps.

1 Like

I think your last sentence represents the wishes of us all. When I use Firefox, I use Lastpass’ add-on to store and use my passwords. In order to use it, I have to open it with its master password and it logs you out after predetermined by you minutes of inactivity and when closing the browser too. Now, this is something that needs to be done in every browser I think. There is a need of login accounts so all of the members of my household can use the browser and its features independantly. I can’t find this kind of protection in any Browser. The worst is Chrome, I think. I feel like I cannot completely log out of my google account in it. Anyone can open Chrome and use it as me. It doen’s ask for password nor 2fA to login to gmail. It’s terrible and kinda scarry. You can never feel safe and protected with any product right now. I thought Brave has a solution for this but I guess we’ll have to wait for it. I hope it will be soon.

IMO The issue isn’t whether I secure my computer and browser. It’s about the ease with which the sync phrase can be exposed. The more highly sensitive content is, the more guardrails that should be in place to access it. This sync phrase is literally the password to the kingdom. I’d rather have to click through a few messages than to accidentally reveal it in a public place. The fact that Brave stores it in memory is moot to the main concern. Yes, of course, if someone can get into my computer, I have bigger problems than just the sync phrase.

I think, when clicking “View Sync Code”, the content should be occluded with a message warning about the sensitivity of the phrase and that message must be dismissed to see the phrase. Alternatively, or additionally, move the “View Sync Code” button away from other buttons so that it’s less likely it can be clicked accidentally.

Relatively few people understand security. Relatively few people will take precautions before clicking buttons in their browser settings. At least make it hard for novices to expose their sync phrase. After all, how often does it need to be viewed?! A few extra hoops to jump through is not a big deal.

Good suggestion, it should be done.
I agree with the point that there should be warning, that it contains sensitive info:- Look for cameras, do not view the words in public etc. Like Crypto wallets have, just like brave wallet, metamask, exodus etc.

But, the second point might be too much. The current positioning of the button is not that bad. Or it can be put at the bottom of the screen, below ‘Addresses and more’.