Man-in-the-middle used on Brave on MacOS

I have only Gmail and Brave community open when I run this command. These domains that Brave says it has open network connections to do not match the tabs I currently have open. This is a man-in-the-middle attack on the Brave Browser. I have been a whistleblower and I believe I am being harassed in retaliation with military grade hacking tools. You can verify this if you are on a Mac. If you have gmail and Brave community open this command will show a different output for you because your Brave Browser has not been compromised as mine has. This same command works in Linux also.

sh-3.2# lsof -i | grep ESTABLISHED | grep Brave | head -n 4
Brave\x20 608 michaellazin 25u IPv4 0x257ac54af0358271 0t0 TCP 192.168.1.117:49298->151.101.66.137:https (ESTABLISHED)
Brave\x20 608 michaellazin 30u IPv4 0x257ac54af5050b21 0t0 TCP 192.168.1.117:49382->ww-in-f17.1e100.net:https (ESTABLISHED)
Brave\x20 608 michaellazin 45u IPv4 0x257ac54af506cd81 0t0 TCP 192.168.1.117:49397->104.16.53.111:https (ESTABLISHED)
Brave\x20 608 michaellazin 49u IPv4 0x257ac54af5069631 0t0 TCP 192.168.1.117:49398->184.105.99.43:https (ESTABLISHED)
sh-3.2#

It’s not possible from your post to determine much at all. You have four connections to well known content hosts (these are not MITM, just normal outbound connections and therefore not a Brave issue):

• Fastly
• Google
• Cloudflare
• Hurricane Electric (Brave Community)

Fastly and Cloudflare are well known Content Delivery Networks (CDNs). It’s entirely possible that these are just a result of content in the bodies of emails being loaded from them.

You’re going to need to use the browser developer tools, or a packer sniffer such as Wireshark to determine what exactly is being requested from Fastly and Cloudflare. It’s most likely going to be something like images in an email, but the only way to know is to analyse the traffic.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.