Big New 0-day vulnerability for Web Browsers
(for Linux & Mac)
Researchers at Oligo Security have disclosed a logical vulnerability to all major browsers (Chromium, Firefox, Safari) that enables external websites to communicate with (and potentially exploit) software that runs locally on MacOS and Linux. Windows is not impacted by this issue.
Oligo Researchers have found that public websites (like domains ending in .com) are able to communicate with services running on the local network (localhost) and potentially execute arbitrary code on the visitor’s host by using the address 0.0.0.0 instead of localhost/127.0.0.1.
Remediation In Progress: Browsers Will Soon Block 0.0.0.0
Following responsible disclosure, HTTP requests to 0.0.0.0 are now being added to security standards using a Request for Comment (RFC), and some browsers will soon block access to 0.0.0.0 completely. 0.0.0.0 will not be allowed as a target IP anymore in the Fetch specification, which defines how browsers should behave when doing HTTP requests.
Source:
https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser
SimplifiedPrivacy.com
npub14s…jt5d6
2024-08-13 00:34:58
Author Public Key
npub14slk4lshtylkrqg9z0dvng09gn58h88frvnax7uga3v0h25szj4qzjt5d6Published at
2024-08-13 00:34:58Event JSON
{
"id": "c2ebc2eda4e2142f03c528f2407c4c3d9e4d3e6b931f10214eafa0025f6d788a",
"pubkey": "ac3f6afe17593f61810513dac9a1e544e87b9ce91b27d37b88ec58fbaa9014aa",
"created_at": 1723502098,
"kind": 1,
"tags": [],
"content": "Big New 0-day vulnerability for Web Browsers\n(for Linux \u0026 Mac)\n\nResearchers at Oligo Security have disclosed a logical vulnerability to all major browsers (Chromium, Firefox, Safari) that enables external websites to communicate with (and potentially exploit) software that runs locally on MacOS and Linux. Windows is not impacted by this issue.\n\nOligo Researchers have found that public websites (like domains ending in .com) are able to communicate with services running on the local network (localhost) and potentially execute arbitrary code on the visitor’s host by using the address 0.0.0.0 instead of localhost/127.0.0.1. \n\nRemediation In Progress: Browsers Will Soon Block 0.0.0.0\n\nFollowing responsible disclosure, HTTP requests to 0.0.0.0 are now being added to security standards using a Request for Comment (RFC), and some browsers will soon block access to 0.0.0.0 completely. 0.0.0.0 will not be allowed as a target IP anymore in the Fetch specification, which defines how browsers should behave when doing HTTP requests.\n\nSource:\nhttps://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser",
"sig": "8b9ce4555b7e91210f470eb4feee303960589fa4b1e23a72a4546e9e104654715e64444a9bc1bf4c3f66008f1e715e964713cfb8b3c97891abd7d96cc6b99446"
}