TLDR: Brave sends referral header for crypto websites, they introduced Tor browsing inside the browser but that header was still being sent inside a Tor session along with the file created in config that keeps track of it. He reported, was assigned a CVE and brave fixed it.

Write up by the person who reported it

(I don’t think Tor on Brave is ready it’s best to not use that feature at the moment; since they have a number of issues in GitHub to improve anonymity and stop leakage etc.)

  • @throwaway284921384
    13 years ago

    I don’t really like Brave’s business model of replacing ads with ‘ethical ads’. it seems a little shady to me. Yes its there choice but its still shady in my opinion