Security News > 2024 > August > It's 2024 and we're just getting round to stopping browsers insecurely accessing 0.0.0.0

A years-old security oversight has been addressed in basically all web browsers - Chromium-based browsers, including Microsoft Edge and Google Chrome, WebKit browsers like Apple's Safari, and Mozilla's Firefox.

According to Oligo, each of the three browsers' teams have promised to block all access to 0.0.0.0 and also enact their own mitigations to close the localhost loophole.

So if you have some service running on your macOS or Linux workstation on port 11223, and you assume no one can reach it because it's behind your firewall, and that your big-name browser blocks outside requests to localhost, guess again because that browser will route a 0.0.0.0:11223 request by a malicious page you're visiting to your service.

Specifically, the Cross-Origin Resource Sharing specification, and then the more recent Private Network Access, which is used by browsers to distinguish between public and non-public networks, and fortify CORS by restricting outside sites' ability to communicate with servers on private networks and host machines.

In response to this, Chrome will block access to 0.0.0.0 starting with Chromium 128, and Google will gradually roll out this change to be completed by Chrome 133.

Mozilla is supportive of efforts to improve the security of these vulnerable services by improving the restrictions in CORS. However, we are aware that imposing tighter restrictions comes with a significant risk of introducing compatibility problems.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/08/09/0000_day_bug/