Brave Software: Brave Browser potentially logs the last time a Tor window was used

Summary:

A vulnerability in the Brave Browser allows an attacker to view the last time a Tor session was used in incognito mode. A local, on-disk attacker could read the Brave Browser’s “Local State” json file and identify the last time a Tor session was used, affecting the confidentiality of a user’s Tor session.

For example, the “Local State” file of a user who has recently used a Tor session would list a key value pair with a timestamp as accurate as “13248493693576042”. This allows an attacker to fingerprint, or prove beyond reasonable doubt, that a user was using Tor at that very specific moment in time.

Products affected:

Brave 1.18.27 and below

Steps To Reproduce:

Start a Tor session in Brave Browser

Supporting Material/References:

As discussed with security@ team in email chain titled:

Re: [Security] CVE Request 981386 - Brave Browser (All) - Exposure of
Sensitive Information to an Unauthorized Actor While Using Tor Feature

And fixed in PR 7010:
https://github.com/brave/brave-core/pull/7010

• List any additional material (e.g. screenshots, logs, etc.)

Impact

Violate the confidentiality of a user’s Tor session.