When I click view sync code in brave it doesn’t ask for windows password, or fingerprint and there’s no option to add a master password like Firefox. Which means if anyone ever has access to my unlocked PC, whether physical or virtual(softwares like team viewer, or a backdoored trojan virus) they can just copy my sync code without knowing my password and paste it in their brave and they’d have access to all my data including all saved passwords.
Solution: The solution could be, adding a master password like Firefox. Or, prompt windows hello every time an user tries to change anything in Sync settings, whether it’s view sync code or add new device or changing any sync settings.
The same logic should apply for android version of brave as well, you need to verify biometric before changing anything in sync.
I see this and get what you’re saying, but I also feel it’s very important to put focus on the other side of things, which is the responsibility of the user. You say one very big mistake:
That’s your mistake there. You should always lock your PC when you’re not using it. If you choose to leave it unlocked and active for people, then you’re the one at fault if they grab. I mean, they could then use your PC to visit one of your sites and login using your saved credentials and then change your passwords. They could also install keyloggers, clone your various folders, etc.
In fact, it would not even be hard for them to just clone your hard drive by doing a backup and then access on a different device.
If just was a request for the extra security by having the sync code password protected, I get it. But when I see people say things like “if I leave things accessible and unprotected…” that just isn’t right. Privacy and security relies most heavily on the user to be responsible.
I would like to respond to this. I think it is obvious that one should not leave the pc unattended, but I feel it does not influence the fact that the sync code should be protected better. Security is always layered (or multifactor) and potential access to all your passwords should really be better protected also from within the client.
Greatest reply ever. You can suggest to Brave that they shouldn’t ask for the system password when viewing or copying passwords because, according to you, everyone should keep their devices locked and never let anyone use them, even for 2 seconds. You mentioned that an attacker could change the password by logging into the system, but any security-conscious service provider would require 2FA. You might not know about that, so it’s worth learning. And you’re comparing changing passwords by logging into each website over days to syncing all saved passwords in 1 second by scanning a QR code.
@mahinthan, it’s perfectly fine to share your concerns or disagree, but please remember that insulting others is not allowed here. I had to report/flag one of your comments twice because, after it was hidden, you edited and resubmitted it without changing the content, which still included the insulting language.
Please keep the Brave Community rules in mind. You can review them here: https://community.brave.app/faq. The comment that was flagged and hidden violated the rule shown below:
It’s perfectly fine to flag negative comments. Instead of doing that, you might consider suggesting to the Brave team that they focus on this serious security bug rather than comparing showing security codes without asking for the system password to “leaving a house open without locking it.” We saved passwords in Brave because we trusted the browser, but treating a serious security bug as a fancy feature is totally unacceptable when all other browsers are very concerned about it.
@mahinthan, you might want to check the other topic where you’re responding. Mattches from Brave has given you an answer there. I also shared some additional GitHub issues and included a screenshot showing where I tagged one of the developers earlier this year to encourage these changes.
During the Community Call on Tuesday, someone mentioned that a lot of improvements are coming with Sync V3, but there’s no ETA yet, and it’s unlikely to happen soon. However, it’s possible they might implement a request like this well in advance.
I want to clarify that while I emphasize the importance of making wise decisions with our devices and that security is ultimately each user’s responsibility, it doesn’t mean I don’t understand or agree with your requests. My main focus is addressing claims and expectations that place the full responsibility on Brave. As I mentioned in the other topic, it’s like leaving your door open and then complaining that someone walked in and took something. The first step is ensuring the door is closed. However, that doesn’t mean there shouldn’t be a secure safe inside as an additional precaution.
You can choose to ignore a reply, but don’t reply like this. It’s reducing respect for the Brave community. Not everyone will share their thoughts in posts. If someone posts a disrespectful comment, hiding it prevents others from seeing how many people are upset in the community forums.
It’s like leaving your door open and then complaining that someone walked in and took something. The first step is ensuring the door is closed.
This is totally unacceptable. Don’t compare the real world with the digital world. Think of it this way: I have more valuable digital assets than real-world assets inside my house.
Imagine if you went to the security section in Gmail or Instagram and your password was visible. That wouldn’t be correct, right? They don’t do that and don’t just tell you to use your own device and remember to lock it. That wouldn’t be fair.
When changing a password on any website, you need to know the old password or have access to 2FA. They don’t say it’s your responsibility to handle that.
I can give several valid examples. Keeping user details safe, especially passwords, is the service provider’s responsibility. They shouldn’t say like you do. I don’t know why Brave hasn’t fixed this issue over the years and how many users might be affected without knowing. It’s terrible. I will not reply more to this post. Please don’t remove or hide it. Others who have the same frustration will be happy to see this
Your Brave sync chain is not the only thing at risk when you let someone use your computer. They could install a keylogger, for example, or they could export your passwords from Chrome and upload the file somewhere. Having extra security is good, but it’s never perfect, so Brave’s lack of it is not an existential issue. Nothing will stop you having to be considerate regarding who you allow to use your computer.
Saoiray’s perspective feels a bit dismissive of the real issue. While user responsibility is important, comparing this to “leaving your door open” overlooks the fact that Brave, as a company that prides itself on protecting its users, could easily do more. Adding basic security measures like 2FA or a master password for Brave Sync would go a long way in addressing these concerns.
Mahinthan’s points really resonate here. Platforms like Gmail and Instagram take extra steps to safeguard user data, even in cases where mistakes happen. It would be great to see Brave adopt similar measures to ensure users feel secure, no matter the situation.
Brave has built a reputation for prioritizing user privacy, and something as straightforward as adding 2FA or a master password seems like a natural step to reinforce that trust. Hopefully, this is something they’ll consider implementing soon.
