What you need to know
- Brave browser is considered to be the most popular secure and private browser on the market.
- They have been offering a VPN service for the last year and decided to start installing this service for all downloads of the Brave browser
- Unless you pay for the $9.99/mo VPN service, the installation lays dormant on your PC.
- Brave has already responded saying they will be removing the VPN service registrations from their installation package.
Brave browser is loved throughout the tech, cybersecurity, and privacy-minded communities alike. Here at Windows Central, we reviewed it back in 2020 and gave it a glowing recommendation. However, reports from Android Central and Ghacks.net are pointing to an issue discovered with Brave browser installing undeclared files for its VPN service for all users on Windows.
Is Brave going to fix the issue?
While the decision by the Brave company to install service packages for their VPN unknowingly to the customer is concerning, the implementation of the installation shows they weren't trying to do anything malicious on the end-user device.
We can take a look at what the installation is actually doing with the VPN services. As we can see in the image below, the VPN services are set to manual meaning they won't start until the user purchases Brave's Firewall and VPN service which costs $9.99 per month or starts the service manually.
In a post on Github, Brian Clifton, the VP of Engineering @brave, explains more of the situation. The change to install the VPN services went live in this update which is dated April 4th of this year. There are two services installed, the Brave VPN Wireguard Service and the Brave VPN Service, neither of which are explained to a user downloading the Brave browser, nor do they get consent.
Brave has already addressed the issue and promised to resolve it.
What does the fix look like? As we solve this issue, here's what we plan to do. Remove the service registrations during install (for Brave Vpn Service and Brave Vpn Wireguard Service). This will prevent new users from having the service installed.
Brian Clifton VP of Engineering @brave
How to disable Brave VPN on your computer?
If you don't want these services on your computer, you can follow these steps to disable them.
- Open the Run box using the Windows key + R.
- Go to the services manager by typing in services.msc.
- Look for the Brave section in the services manager.
- Right-click on the Brave VPN and Brave VPN Wireguard services and change the startup type to disabled.
Is Brave browser safe to install?
Luckily, this appears to be an oversight by the Brave team, or possibly a decision made by the VPN team rather than a security and privacy-focused team member. While these installations are rather benign, they show the threat that any installation poses to our computers.
There aren't any security measures that require companies to disclose what they are installing on your PC, and it is all too easy for malicious actors to grab a good copy of a trusted program, add some malware or ransomware to the file, and have it installed on your PC. Always remember to find a known good file hash and compare it to the file you are downloading.
Do you use Brave browser? Do you think this news will make people stop trusting Brave? Let us know in the comments.
