Found a huge security hole in Brave

I recently gave my self a virus. 100% my fault.

Someone was able to get into my computer and start transferring money out of my bank account making purchases using my Paypal account, trying to steal my Netflix account, etc. Still all my fault for getting a virus.

Here is where having Brave ended up being a huge liability:

After I got rid of the virus and even reformatted all of my computers, someone still had access to everything that was in my browser including passwords, which I had not changed all of yet.

The only way this could have happened is if while someone was in my computer they used the sync feature in Brave to make a copy of my profile on their computer. Chrome also has a sync feature, but it requires knowing your Google password.

Not really a deal breaker as I just stopped saving passwords and 100% my fault, but just something think to think about if someone gets access to your computer(online or in person) and you are using Brave.

Not really. What you’re speaking of is via the account. But if someone has access to your device, they are able to access your passwords. On Chrome you just go to chrome://password-manager/passwords or settings → autofill and passwords → password manager. That’s only if they are trying to access. But if they have access to your device, they don’t even need that. All they have to do is visit any website where you’ve saved a password and they can sign in with it.

So where you’re trying to compare your passwords on a Google account vs Sync, this isn’t necessarily where your issue came about.

Well if you hadn’t changed yet, then why do you think they did anything with sync? They would have already collected your passwords from your browser earlier.

Did you see any unknown devices listed? Keep in mind every time something gets added, it’s shown there. If you didn’t have anything there, then means you’re making a false assumption here.

1 Like

On a side note, I do want to address a few things in regards to saved passwords.

One of the safest things to do with passwords and accounts is to use something like a hardware authentication device, such as YubiKey. This makes it so nobody can actually get your accounts unless they have this physical device.

Next safer is at least using 2 factor authorization for everything. Many sites allow this or even are defaulting to it. This would require you to access your phone to receive a text or to access a 2FA app and insert a code that expires like every 60 seconds.

Next thing without that is to remember not to use the same password for any site. Each site should be different so if one password it taken it’s not easy to get to most. Sadly people tend to use the same username/password combo for multiple sites.

If you have a good memory and want to be ultra careful, you shouldn’t save passwords anywhere.

As to saving on device vs password manager, there can be a lot of debate on which is safer/better. Passwords in Brave (and pretty much all chromium) are encrypted on a local level and are safe overall, with some exceptions. One argument against it would be from articles such as

When speaking of password managers, there’s actually been a lot of risks in terms of people having an easier time of guessing passwords, accessing because you replicated passwords that they stole from another site, or just because they get hacked. There have been a lot of data breaches from various from password managers over the years. For example, here, this, even this, and lastly here

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.