CVE-2020-8276

Name of the Vulnerable Software and Affected Versions Brave Desktop versions 1.1 through 1.18.35

Description The implementation of Brave Desktop's privacy-preserving analytics system (P3A) logged the timestamp of when the user last opened an incognito window, including Tor windows, instead of excluding Tor windows as intended. If a user has P3A enabled, the timestamp is not sent to Brave's server, but rather a value indicating usage frequency, such as Used in last 24h, Used in last week but not 24h, Used in last 28 days but not week, Ever used but not in last 28 days, or Never used. The privacy risk is low because a local attacker with disk access cannot determine if the timestamp corresponds to a Tor window or a non-Tor incognito window.

Recommendations For versions 1.1 through 1.18.35, update to a version later than 1.18.35 to resolve the issue. As a temporary workaround, consider disabling the P3A system until a patch is available. Restrict access to incognito windows and Tor windows to minimize the risk of exploitation. Avoid using the P3A system until the issue is resolved.