Researchers at Israel-based cybersecurity firm Oligoย have discovered a critical 18-year-old vulnerability that affectsย all major web browsers, including Googleโs Chromium, Mozilla Firefox, and Appleโs Safari, allowing attackers to breach local networks.
Dubbed “0.0.0.0 Day,” this vulnerability bypasses browser security in all major browsers and interacts with services running on an organizationโs local network.
This interaction can potentially grant threat actors unauthorized access to sensitive information and, in some instances, even allow them to execute remote code on local services.
In other words, the attackers could potentially access files, messages, and credentials, manipulate or steal data, interrupt operations, orย install further malicious software,ย all from outside the network.
However, it should be noted that this critical flaw only affects computers running Linux and macOS, and not Windows, as Microsoft blocks the IP address at the operating system level.
According to Avi Lumelsky, an AI security researcher at Oligo, public websites (like domains ending in .com) are able to communicate with services running on the local network (localhost) and potentially execute arbitrary code on the visitorโs host by using the address 0.0.0.0 instead of localhost/127.0.0.1.
โThe issue stems from the inconsistent implementation of security mechanisms across different browsers, along with a lack of standardization in the browser industry. As a result, the seemingly innocuous IP address, 0.0.0.0, can become a powerful tool for attackers to exploit local services, including those used for development, operating systems, and even internal networks,โ Lumelsky wrote in a security blog post.
Oligo also explains that it bypasses existing protection mechanisms like Cross-Origin Resource Sharing (CORS) and Private Network Access (PNA), which fail to prevent this dangerous activity.
Oligo security researchers have observed multiple threat actors exploiting this flaw, including campaign attacks such as ShadowRay and SeleniumGreed.
In ShadowRay, the campaign actively targeted AI workloads running locally on developers’ machines (Ray clusters), while in Selenium, the threat actors leveraged Selenium Grid public servers to gain initial access to organizations, using known Remote Code Execution (RCE) vulnerabilities.
In response to Oligo’s disclosure, the web browser developers are starting to take action to block access to 0.0.0.0 with Google Chrome, Mozilla Firefox, and Apple Safari:
Google Chrome: The worldโs most popular web browser has decided to block access to 0.0.0.0 (Finch Rollout), starting with Chromium 128 via a gradual rollout and completing it with Chrome 133.ย At that point, the IP address will be blocked completely to all Chrome and Chromium users.
Mozilla Firefox: Firefox users might have to wait a bit longer for the patch, as Mozilla stated that blocking 0.0.0.0 could cause significant compatibility issues for servers using that address. Hence, it has not yet imposed any restrictions on accessing 0.0.0.0 but has plans to do so in the future.
Appleย Safari: Apple plans to block all attempts from websites to send queries to 0.0.0.0ย with the public beta version ofย macOSย Sequoia. The update will be shipped withย Safariย 18 and is expected to be rolled out to macOS Sonoma and macOS Ventura
Until browser fixes arrive, Oligo suggests that app developers follow the below measures to protect local applications:
- Implement PNA headers.
- Verify the HOST header of the request to protect against DNS rebinding attacks to localhost or 127.0.0.1.
- Donโt trust the localhost network โ add a minimal layer of authorization, even locally.
- Use HTTPS when possible.
- Implement CSRF tokens in your applications, even for local ones.
- Developers must remember that browsers act as gateways, and they have routing capabilities to internal IP address spaces in many browsers.