Microsoft Edge MITM Brave installer?

Browser Support Desktop Support
1

Very strange experience trying to install Brave just now on a fresh Windows 11 Pro pc. It seems Microsoft is doing something that results in a different file being served than expected.

First off, I searched for brave browser in Edge:

image
image1866×1326 242 KB

I noticed later that the search results is technically an ad. The ad disclaimer text isn’t selectable however, the way the search hits count is.

Notice anything strange?

Download Brave
Download
Download Brave For Free
Download For Free

Strange way to structure a website, unless it was for SEO reasons. I doubt the real Brave site is structured like that.

So, clicking the Download Brave link, doesn’t actually take you to Brave.com, it keeps you within the Microsoft ecosystem apparently. Maybe for CDN caching purposes?

image
image2210×1040 151 KB

Eventually there is a redirect option, but it still points to a Bing address

image
image980×276 22.5 KB

Anyway, if you accept the installer that was downloaded via Bing, its a different file than what you get if you navigate to brave.com and click download. Opening them up in virus total shows different compilation times, different file hashes… but the same version of Brave within. Its very strange to me. If it was just Microsoft injecting its own analytics via buying a Bing ad, and then this ad campaign going through a weird tracking route to get to the installer, why would it be a different file? Heck, even the filenames are different (BraveBrowserSetup-BRV001 vs BraveBrowserSetup-JMA500 or sometimes XGB796)

Funny enough, part of the URL if you click through from Bing to Brave.com, in the url query parameters, is mtm_campaign=Competitor

Anyway, its very unsettling. I think this is probably something Microsoft is doing, and not Brave. I’m going to assume its something like, MS gets their own file distribution infrastructure, or downloads from Ads do, and that source just had an outdated file. Maybe it was recompiled later (same Brave version) and that different date caused a different file hash. But also VirusTotal points out one of them “executes-dropped-file” while the other doesnt. Anyway its scary to see something is happening but in the end I just have to trust Microsoft to either protect me from rogue ad buyers, or that MS itself isn’t quietly injecting something under pressure from the NSA. Maybe the newer version patched some vulnerabilities the alphabet boys want to keep open, so they’re directing people to the older version.

2

@johnsmith2024 those are meant to be different. This is what is called referral codes and is how Brave knows where you downloaded the browser from. You can read more details at the topic at Brave Browser Referral Codes Update

3

Thats unambiguous, thanks. But its still panic-inducing that the download comes (seemingly) from some Bing infrastructure, not Brave, and that the executable is physically different, and the compilation date is different by several days.

1 Like
4

I’ll tag @mattches and @steeven here just in case there’s anything extra to be said. But wanting to say no issues or concerns.

5

Hello! As you mentioned, the Bing result you see is not an organic result, as it is our paid acquisition ad for our Brave. The redirect after the click, I believe is Bing’s system, but I am still going to see if I can replicate the same behavior on my side.

As for the filename, as @Saoiray mentioned, the BRVXXX is our refcode system.

1 Like
6

@johnsmith2024 One question. Can you confirm in the first example that you got a download without seeing a brave.com website? Our paid acquisition and organic results all point to Brave.com, which you then need to click the download on the brave.com page.

1 Like
7

@johnsmith2024 we have been able to replicate this with Edge + Bing and the user experience is surely not intended. We are investigating a solution, because we don’t want Bing to be bypassing Brave.com. Thank you for the report!

2 Likes