Security researchers have uncovered a browser vulnerability impacting MacOS and Linux users that can be used to breach local networks.
The vulnerability, reported to browser makers by Oligo Security, has been dubbed “0.0.0.0 Day” and “exposes a fundamental flaw in how browsers handle network requests”, the researchers said in a blog post.
“Oligo researchers have found that public websites (like domains ending in .com) are able to communicate with services running on the local network (localhost) and potentially execute arbitrary code on the visitor’s host by using the address 0.0.0.0 instead of localhost/127.0.0.1.”
Oligo said that the issue “stems from the inconsistent implementation of security mechanisms across different browsers, along with a lack of standardisation in the browser industry.”
It disclosed the vulnerability to Chromium, Firefox, Safari browser makers in April.
“The browser teams at each company have acknowledged the security flaw and will work on changing the related standard, and will also implement browser-level mitigations,” the researchers wrote.
“Eventually, all browsers will block 0.0.0.0, but at the same time, the market demands a common standard to follow as well.
“Due to the nature of the vulnerability and the complexity of the patch across browsers, it remains exploitable, allowing external websites to communicate with services on localhost.”
Oligo said that both Google and Apple have made changes.
“Chrome is blocking access to 0.0.0.0 (Finch Rollout) starting with Chromium 128. Google will gradually roll out this change over the next few releases, completing it by Chrome 133, at which point the IP address will be blocked completely to all Chrome and Chromium users,” Oligo noted.
“Apple [also] made breaking changes to WebKit that block access to 0.0.0.0.”
The researchers said there is “no immediate fix in Firefox” but that one “is in progress”. They added that 0.0.0.0 “will be blocked by Firefox… at an undetermined point in the future.”