CVE-2020-8276 – Exposure of Sensitive Information to an Unauthorized Actor – Brave Browser Potentially Logs The Last Time A Tor Window Was Used.

Title

Exposure of Sensitive Information to an Unauthorized Actor – Brave Browser Potentially Logs The Last Time A Tor Window Was Used.

CVE ID

CVE-2020-8276

CVSS Score

5.5

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Internal ID

SICK-2020-013

Vendor

Brave Software, Inc.

Product

Brave

Product Version:

1.18.27 and below.
Fixed in 1.18.34

Vulnerability Details

A vulnerability in the Brave Browser allows an attacker to view the last time a Tor session was used in incognito mode. A local, on-disk attacker could read the Brave Browser’s “Local State” json file and identify the last time a Tor session was used, affecting the confidentiality of a user’s Tor session.

For example, the “Local State” file of a user who has recently used a Tor session would list a key value pair with a timestamp as accurate as “13248493693576042”. This allows an attacker to fingerprint, or prove beyond reasonable doubt, that a user was using Tor at that very specific moment in time.

Vendor Response

Fixed in 1.18.34 Brave Nightly Build, see Pull Request 7010

Disclosure Timeline

• 2020-10-30 – Researcher discovers vulnerability, when updating to latest Brave
• 2020-10-30 – CVE Requested
• 2020-11-02 – Researcher notifies vendor via email
• 2020-11-02 – Vendor confirms security concern and request submission through HackerOne
• 2020-11-02 – Researcher submits vulnerability via HackerOne
• 2020-11-02 – Vendor patches vulnerability
• 2020-11-04 – Vendor releases patch in Nightly Build
• 2020-11-04 – Public disclosure via HackerOne Report #1024668
• 2020-11-04 – CVE assigned CVE-2020-8276

Credits

@sickcodes – https://twitter.com/sickcodes Researcher discovery & report.

@bcrypt – https://twitter.com/bcrypt Brave Browser security team correspondent.

Links

https://hackerone.com/reports/1024668

https://github.com/sickcodes/security/blob/master/advisories/SICK-2020-013.md

https://sick.codes/SICK-2020-013

https://brave.com/new-onion-service

https://hackerone.com/brave

https://github.com/brave/brave-core/pull/7010

https://twitter.com/sickcodes

https://twitter.com/bcrypt

https://github.com/sickcodes

https://sick.codes

PoC

Open Brave Browser in incognito mode with Tor.

Close Brave browser, and view ~/.config/BraveSoftware/Brave-Browser/Local State

jq '.core_p3a_metrics' < ~/.config/BraveSoftware/Brave-Browser/Local\ State

{
  "incognito_used_timestamp": "13248495136836403",
  "tor_used": true
}

The above timestamp is permanent until overwritten, by another Tor session.

The tor_used Boolean refers to whether or not a Tor session has ever been used in Brave Browser, hence the term “potentially” in the report title.

Other metrics related to Tor in Local State:

"last_used": "Tor Profile",
"metrics": {
"next_bucket_index": 2
},

  "core_p3a_metrics": {
    "incognito_used_timestamp": "13248493693576042",
    "tor_used": true
  },

      "Brave.Core.TorEverUsed": {
        "sent": false,
        "timestamp": 0.0,
        "value": "0"
      },

  "tor": {
    "tor_disabled": false
  },

Proof that tor_used Bool only refers to whether has ever used Tor:

• • Open icognito with Tor:

jq '.core_p3a_metrics' < ~/.config/BraveSoftware/Brave-Browser/Local\ State

{
  "incognito_used_timestamp": "13249022400646476",
  "tor_used": true
}

• • Open icognito without Tor:

jq '.core_p3a_metrics' < ~/.config/BraveSoftware/Brave-Browser/Local\ State

{
  "incognito_used_timestamp": "13249022400646476",
  "tor_used": true
}