Brave Browser Incorrectly Displays Download Origin on macOS

A vulnerability exists in Brave Browser for desktop, specifically in versions 1.70.x to 1.73.x, where the download origin is misrepresented in the file selector dialog. Instead of showing the actual source of the downloaded file, the browser displays the referrer header value. This issue can be exploited by combining it with an open redirect vulnerability on a trusted site, allowing a malicious site to initiate a download that appears to come from a reputable source.

Impact

This vulnerability can lead to users being misled about the origins of downloaded files, potentially allowing malicious files to be downloaded under the guise of being from a trusted source. This misrepresentation increases the risk of malware installation, particularly in targeted attacks by Advanced Persistent Threat (APT) groups or through social engineering tactics.

Reproduction

To reproduce this vulnerability, visit a malicious site that exploits an open redirect vulnerability. Once on the site, trigger a download. The file origin in the download dialog will incorrectly display the referrer site instead of the actual source of the file.

Remediation

This issue has been acknowledged by Brave Software and will be fixed in a future update. Users can check for the latest version of Brave Browser on the Brave website.