Cybersecurity experts have unveiled a new discovery known as the “0.0.0.0 Day” vulnerability affecting all major web browsers, which could be exploited by malicious websites to infiltrate local networks.
According to Oligo Security researcher Avi Lumelsky, the critical flaw “reveals a core issue in the way browsers manage network requests, potentially providing unauthorized access to sensitive services on local devices.”
The Israeli application security firm emphasized that the impact of this vulnerability is extensive and arises from inconsistent security mechanism implementation and a lack of standardization across various browsers.
The seemingly innocuous IP address 0.0.0.0 has been weaponized to exploit local services, leading to unauthorized access and remote code execution by external attackers. This loophole has reportedly existed since 2006.
The 0.0.0.0 Day vulnerability affects Google Chrome/Chromium, Mozilla Firefox, and Apple Safari, allowing external websites to interact with locally-running software on MacOS and Linux. Windows systems are not impacted as Microsoft blocks the IP address at the OS level.
Oligo Security discovered that public websites with “.com” domains can communicate with services on local networks and execute code on a visitor’s host using the 0.0.0.0 address instead of localhost/127.0.0.1.
This vulnerability also bypasses Private Network Access (PNA), designed to prevent public websites from accessing private network endpoints directly.
Any application running on localhost reachable via 0.0.0.0 could be vulnerable to remote code execution, including local Selenium Grid instances by sending a POST request to 0.0.0.0:4444 with a specific payload.
Reacting to these findings in April 2024, web browsers are anticipated to block access to 0.0.0.0 entirely, eliminating direct access to private network endpoints from public sites.
Lumelsky remarked, “When services use localhost, they assume a constrained environment. This assumption, as in the case of this vulnerability, may be flawed, resulting in insecure server implementations.”
“By utilizing 0.0.0.0 along with ‘no-cors’ mode, attackers can manipulate public domains to attack localhost services, potentially achieving arbitrary code execution (RCE) via a single HTTP request.”