Sources: PcMag, The Cyber Security Hub
The zero-day flaw is IP address 0.0.0.0, which can be exploited in Safari, Chrome, Firefox, Edge, and Opera.
Israeli cyber security company Oligo has uncovered an 18-year-old vulnerability, which they have dubbed “0.0.0.0 Day.” This critical flaw allows malicious websites to bypass browser security measures in Google Chrome, Mozilla Firefox, and Apple Safari, enabling them to interact with services on a local network. Safari, Firefox, and all Chromium-based web browsers are vulnerable to this threat, which means that Microsoft Edge, Brave, and Opera are also technically exposed. This flaw allows for unauthorized access and remote code execution on local services by attackers outside the network. This vulnerability only affects Linux and macOS devices, leaving Windows users unaffected.
Public websites can interact with services on localhost or the local network. They could “execute arbitrary code on the visitor’s computer using the address 0.0.0.0.0 instead of localhost/127.0.0.0.1,” the researchers explain in their post summarizing the exploit. “By allowing 0.0.0.0.0, you’re allowing all the things you’ve been blocking for years,” Gal Elbaz, co-founder and CTO of Oligo, tells Forbes. “Allowing 0.0.0.0.0 essentially allows everything.” The root of this issue lies in the inconsistent implementation of security mechanisms across various browsers, compounded by a need for industry-wide standardization. Oligo researchers note that 0.015% of all websites communicate with this IP address, meaning approximately 100,000 websites could facilitate this attack. So far, hackers have reportedly been using this IP address to attack AI workloads.
Apple will reportedly include its fix for this flaw in the macOS 15 Sequoia beta by blocking the 0.0.0.0.0 address. It has also updated Safari WebKit to block connections to this IP. Chrome proposes a similar fix for its browser, recognizing that the 0.0.0.0 address allows users to bypass Private Network Access protection.
Browser-Specific Remediation Status:
Google Chrome and Chromium-Based Browsers: Google’s 0.0.0.0 vulnerability bypassed the Private Network Access (PNA) initiative, which aims to improve security. Chrome is currently rolling out a fix, starting with Chromium 128, to block access to 0.0.0.0 entirely. This update will be fully deployed by Chrome version 133.
Apple Safari: Safari, built on the WebKit platform, has implemented changes to block access to 0.0.0.0 by checking the destination IP address and blocking requests if they are all zeros.
Mozilla Firefox: While Firefox has not yet implemented a complete fix, it has modified the Fetch specification to block 0.0.0.0. The browser plans to prioritize the implementation of Private Network Access, though this has yet to be finalized. Α Mozilla spokesperson emailed PCMag, stating that “Enforcing stricter restrictions carries a significant risk of introducing compatibility issues.” “As the standards discussion and work to understand these compatibility risks is ongoing, Firefox has not implemented any of the proposed restrictions.”
Same goes to 127.0.0.0.1 😉
Typo, 0.0.0.0.0 does not exist. 😊