Brave browser leaks visited Tor .onion addresses in DNS traffic, fix released after bug hunter raises alarm • The Register

Brave browser leaks visited Tor .onion addresses in DNS traffic, fix released after bug hunter raises alarm
Plus: IBM's lawyers hacked, Kia denies ransomware hit, France declares war on hackers, and more
Iain Thomson in San Francisco Mon 22 Feb 2021 // 07:14 UTC SHARE
IN BRIEF Brave has patched up its privacy-focused web browser after it was spotted leaking its Tor users' dark-web habits.

The browser has a built-in Tor mode, allowing folks to easily and anonymously surf the dark-web network. However, this code started spilling over the open internet the .onion domains visited by the browser to whatever DNS servers the software was configured to use for non-Tor websites, allowing whoever operates those DNS servers – or anyone who can snoop on the queries in transit – to figure out the kinds of hidden services frequented by an individual user.

The problem was clocked in mid-January by the bug hunter xiaoyinl, reported to Brave's HackerOne-run bounty program. A fix was soon sorted out and released to end the ad-blocking-related leak.

"The root cause was a new ad-blocking feature called CNAME ad-blocking which initiated DNS requests that did not go through Tor in order to check if a domain should be blocked," a Brave spokesperson told The Register.

"As is our usual process for bug fixes, we have been testing the changes in nightly to make sure that they didn't cause regressions or other bugs before releasing to the stable channel. However, given the severity of the issue and the fact that it is now public (thereby making it easier to exploit), we are accelerating the timeline for this issue and releasing the fix today in stable (1.20.x)."

Time to get updating; there are more details on the patched release here.

Apple has updated its freely downloadable security bible to include details of the features of its homegrown M1 and A14 chips inside Arm-powered Macs and latest iPhones, respectively. These include info on Apple Silicon boot modes, biometrics changes, and more.

Kia says it wasn't hit by ransomware
It has been a rough week for Kia as the South Korean car manufacturer has seen its online services to dealers and customers hit by a major IT outage. It was reported by some in the media that the outage was due to a massive ransomware outbreak among the automaker's servers, and that the DoppelPaymer criminal group claimed responsibility. The miscreants also said they had exfiltrated lots of valuable data from Kia's systens, and that they were asking for a ransom of $20m or else they'd publish the pilfered information online.

The Reg checked with Kia, and the answer was pretty unequivocal: “We are aware of online speculation that Kia is subject to a ransomware attack," a spokesperson told us. "At this time, and based on the best and most current information, we can confirm that we have no evidence that Kia or any Kia data is subject to a ransomware attack."

Files swiped from IBM's outside lawyers
The blue-chip US law firm Jones Day, which has represented and advised IBM among many others, has confirmed some of its client files were stolen by hackers.

Like victims in the SolarWinds snafu, the legal eagles fell prey to an attack on one of their third-party suppliers: in this case, Accellion, which licenses a file-sharing product to many legal firms. Accellion claimed it was compromised by someone exploiting a zero-day vulnerability in December, and some of its customers were affected.

“Jones Day’s network has not been breached. Nor has Jones Day been the subject of a ransomware attack," the legal firm told American Lawyer magazine, meaning that it believes its own corporate network was untouched and that documents were purloined from its file-sharing provider.

"Jones Day has been informed that Accellion’s FTA file transfer platform, which is a platform that Jones Day—like many law firms, companies and organizations—used, was recently compromised and information taken. Jones Day continues to investigate the breach and has been, and will continue to be, in discussion with affected clients and appropriate authorities.”

Legal gaint Goodwin Procter also said it was hit in a similar attack.

Top-tier venture capital biz Sequoia Capital told its investors on Friday that a hacker may have glimpsed some of their personal and financial information after a staffer's email was phished, Axios reported.

French government declares no surrender to ransomware
After ransomware infections crippled two French hospitals in as many weeks, President Emmanuel Macron has had enough, and announced €500m ($606m) in funding to tackle the scourge.

France's healthcare system is already overstretched with COVID-19 cases, and the outbreaks of file-scrambling malware in hospitals in Dax and Villefranche-sur-Saône only added to the chaos. Macron has reportedly instructed the National Cybersecurity Agency of France (ANSSI) to find a solution, and be quick about it.

“We are learning about these new attacks, some coming from states as part of new conflicts between nations, others coming from mafias,” Macron said in a briefing on Thursday, adding that ANSSI would need support from other countries to beat the ransomware scourge.

Man accused of ransoming past employer
Police in Westport, Connecticut, USA, have arrested a 33-year-old man, saying he "hacked" the computers of a former employer, which then suffered a ransomware infestation.

Yigitali Ercan, 33, of Philadelphia, was charged with second degree computer hacking after his former bosses told police Ercan had entered the company's computer systems illegally after leaving and made changes to the corporate website. A day later the company was hit by ransomware that encrypted files for extortion.

Ercan denies the allegations, telling police that he did nothing of the sort. He was booked and released on bail