Advertisement

Researchers find decades-old vulnerability in major web browsers 

The flaw, called ‘0.0.0.0 day,’ has to do with how browsers handle network requests.
Google Chrome's logo is seen at Google's annual developer conference, Google I/O, at Moscone Center in San Francisco on June 28, 2012 in California. AFP PHOTO / Kimihiro Hoshino (Photo credit should read KIMIHIRO HOSHINO/AFP/GettyImages)

An Israeli cybersecurity firm has identified a zero-day vulnerability affecting major web browsers that could allow attackers to bypass normal browser security measures and potentially breach local networks.

The flaw, discovered by Oligo Security, was found in how browsers handle network requests. 

In summary, devices read IP addresses to connect users to websites, with 0.0.0.0 serving as a placeholder until a real address is assigned. Oligo researchers found that a would-be attack can exploit how browsers like Apple’s Safari, Google’s Chrome and Mozilla’s Firefox handle queries to 0.0.0.0, redirecting them to other addresses such as ‘localhost,’ which is typically private. 

This exploit allows attackers to access private data by sending requests to 0.0.0.0. Attackers could then perform all types of nefarious actions, gaining unauthorized access and executing remote code on locally running programs, which could impact development platforms, operating systems and internal networks.

Advertisement

Oligo has dubbed the vulnerability “0.0.0.0 day,” and wrote in a blog post that it considers it to be “far-reaching, affecting individuals and organizations alike.”

By April, Oligo had alerted security teams at major tech companies and started working with them on solutions to the issue. Google has already started to block 0.0.0.0 requests in Chrome, and over the next few months will be implementing fixes to Chromium, the open-source code base that powers Chrome and other popular browsers. 

Apple told Forbes that it has initiated changes to deny such requests in Safari. Oligo says there is no immediate fix for Firefox, but it has been working with Mozilla to block 0.0.0.0 in the future.  

To further avoid any possible security issues, Oligo suggests that security teams use Private Network Access headers — ​​a feature that provides attentional protection for local networks from potential vulnerabilities or malicious attacks. The company also recommends using HTTPS whenever possible and implementing cross-site request forgery (CSRF) tokens in web applications, even if they are only running locally. 

You can read the full technical details on Oligo’s blog

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts