Researchers find decades-old vulnerability in major web browsers
An Israeli cybersecurity firm has identified a zero-day vulnerability affecting major web browsers that could allow attackers to bypass normal browser security measures and potentially breach local networks.
The flaw, discovered by Oligo Security, was found in how browsers handle network requests.
In summary, devices read IP addresses to connect users to websites, with 0.0.0.0 serving as a placeholder until a real address is assigned. Oligo researchers found that a would-be attack can exploit how browsers like Apple’s Safari, Google’s Chrome and Mozilla’s Firefox handle queries to 0.0.0.0, redirecting them to other addresses such as ‘localhost,’ which is typically private.
This exploit allows attackers to access private data by sending requests to 0.0.0.0. Attackers could then perform all types of nefarious actions, gaining unauthorized access and executing remote code on locally running programs, which could impact development platforms, operating systems and internal networks.
Oligo has dubbed the vulnerability “0.0.0.0 day,” and wrote in a blog post that it considers it to be “far-reaching, affecting individuals and organizations alike.”
By April, Oligo had alerted security teams at major tech companies and started working with them on solutions to the issue. Google has already started to block 0.0.0.0 requests in Chrome, and over the next few months will be implementing fixes to Chromium, the open-source code base that powers Chrome and other popular browsers.
Apple told Forbes that it has initiated changes to deny such requests in Safari. Oligo says there is no immediate fix for Firefox, but it has been working with Mozilla to block 0.0.0.0 in the future.
To further avoid any possible security issues, Oligo suggests that security teams use Private Network Access headers — a feature that provides attentional protection for local networks from potential vulnerabilities or malicious attacks. The company also recommends using HTTPS whenever possible and implementing cross-site request forgery (CSRF) tokens in web applications, even if they are only running locally.
You can read the full technical details on Oligo’s blog.