In the realm of browser security, vulnerabilities can turn the tables on even the most privacy-focused platforms. In December 2016, security researcher Masato Kinugawa unearthed a critical flaw in Brave Browser (version 0.12.11) that allowed attackers to send arbitrary Inter-Process Communication (IPC) messages. This discovery, rewarded with a $300 bounty, exposed a weakness that could manipulate settings, spoof address bars, and enable Universal Cross-Site Scripting (UXSS). This article dives into the technical breakdown, real-world implications, and lessons learned from this pivotal bug.

The vulnerability stemmed from Brave’s JavaScript environment, where user-controlled scripts could overwrite internal code. Specifically, attackers could override the Function.prototype.call method—a fundamental JavaScript function—hijacking IPC communications between the browser’s renderer and main processes. This flaw, reported on December 2, 2016, opened a Pandora’s box of…