August 9, 2024 at 01:46AM
A security flaw affecting various web browsers on macOS and Linux, but not on Windows, has been identified. Dubbed the 0.0.0.0 Day by Oligo Security, it allows attackers to access local services. The browsers’ teams have committed to blocking access to 0.0.0.0. Chrome and WebKit have initiated changes, while Mozilla is yet to implement a fix.
The meeting notes indicate that there has been a long-standing security issue affecting various web browsers on macOS and Linux, known as the 0.0.0.0 Day vulnerability. This flaw allows malicious websites to make requests to 0.0.0.0 and a port of their choosing, potentially accessing services running locally on the user’s machine. The browsers affected include Chromium-based browsers (such as Microsoft Edge and Google Chrome), WebKit browsers (like Apple’s Safari), and Mozilla’s Firefox.
Oligo Security has highlighted this vulnerability, and the browser teams have committed to blocking access to 0.0.0.0 and implementing mitigations to address the localhost loophole. Specifically, the Chrome team plans to block access to 0.0.0.0 starting with Chromium 128, with Google gradually rolling out the change to Chrome 133. Similarly, Apple has made changes to its WebKit open source software to block access to 0.0.0.0. However, Mozilla has not yet implemented Private Network Access (PNA) in Firefox but did change the Fetch specification (RFC) to block 0.0.0.0 following the report from Oligo.
Oligo was able to bypass PNA and demonstrated that public websites could dispatch HTTP requests using JavaScript to reach services on the local network. It is suggested that PNA needs to be standardized and browsers need to implement PNA according to that standard to effectively mitigate this vulnerability.
In summary, the issue has been acknowledged by major browser teams, with planned actions to address the vulnerability. However, concerns remain about the ability of public websites to access local services and the need for standardized and implemented PNA to provide effective protection.