Skip to content

Chrome, Safari, and Firefox at risk from 0.0.0.0-day exploit

  • by
  • 3 min read

For nearly two decades, a critical vulnerability, dubbed 0.0.0.0-day, in some of the world’s most popular web browsers, including Chrome, Safari, and Firefox, has left home and business networks susceptible to hacker intrusions. The loophole pertains to how browsers handle queries to the 0.0.0.0 IP address, allowing malicious actors to access private networks and sensitive data from over 100,000 public websites.

Researchers confirmed that only macOS and Linux systems are affected by this vulnerability. Windows operating systems are secure against the flaw.

These browsers accepted queries to 0.0.0.0 and redirected them to other IP addresses, including the ‘localhost’ address typically used for testing and development code. This vulnerability has led to what researchers have coined a ‘0.0.0.0-day’ attack, in which hackers can exploit this redirection to gain unauthorised access to sensitive information and systems.

Attackers can deceive users into visiting seemingly harmless websites that send malicious requests to the 0.0.0.0 IP address. These requests can then access private data and potentially infiltrate the victim’s internal private network.

“With 200 million websites in the world as of August 2024, as many as ~100K public websites may be communicating with 0.0.0.0,” cautioned researchers.

Apple has started working on a fix to mitigate the 0.0.0.0-day attack.

Researchers emphasised the seriousness of the threat, noting that it allows attackers to exploit various sectors within a compromised network.

The scope of this vulnerability is vast, potentially impacting many systems that host web servers. Researchers highlight hackers’ ability to run unauthorised code on servers using the Ray AI framework, a tool employed by major companies like Amazon and Intel for training AI models.

This problem extends to any application using localhost accessible via 0.0.0.0, making a wide range of data and credentials vulnerable to theft.

“The browser teams at each company have acknowledged the security flaw and will work on changing the related standard, and will also implement browser-level mitigations. Eventually, all browsers will block 0.0.0.0, but at the same time, the market demands a common standard to follow as well,” said researchers.

Google is also taking steps to address the flaw.

Google researcher David Adrian corroborated these findings, reporting multiple instances of malware exploiting this loophole to target specific developer tools.

In light of these revelations, tech giants Apple, Google, and Mozilla are taking steps to address this vulnerability. Apple has announced plans to block all 0.0.0.0 queries in the beta version of macOS 15 Sequoia.

Google’s security teams for Chromium and Chrome are also working on implementing similar restrictions, though no official statement was announced, reports Forbes.

Mozilla, however, faces a unique challenge. The company is cautious about imposing restrictions that could disrupt servers using 0.0.0.0 as a local host substitute. A Mozilla spokesperson highlighted the ongoing discussions about compatibility risks, stating that Firefox has yet to adopt any proposed measures.

Researchers will present their findings at the DEF CON conference in Las Vegas scheduled between August 8 to 11.

In the News: Proton Pass gets identities and biometrics authentication feature

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>