Browsers on MacOS and Linux have failed to block malicious instructions sent to 0.0.0.0 – for 18 years


If a malicious website pings a 0.0.0.0 IP address, web browsers on Linux or MacOS won't question it – they’ll route the request to the application listening on a specified port. Security company Oligo Security has discovered that these open doors for attackers to mess with systems haven’t been closed for 18 years.

According to the firm’s research team, malicious websites can bypass browser security measures and interact with services running on an organization’s local network just by trying to access a 0.0.0.0 IP address. Potential uses include unauthorized access and remote code execution (RCE).

A long-standing flaw affects all major web browsers on Linux and MacOS, including Safari, Firefox, Chrome, and other Chromium browsers. This issue does not impact Windows systems.

Dubbed “0.0.0.0 Day,” this vulnerability is a fundamental flaw in how browsers handle network requests from external websites.

Browsers do a good job handling cross-site requests, such as when one website wants to load data from another website, such as Google Analytics, or embed videos from YouTube. Security mechanisms restrict requests to servers on private networks. That keeps malicious websites from using cross-site request forgery attacks to access private data, internal networks, and local applications.

For example, attacker.com cannot contact 127.0.0.1 or 192.168.1.1 IP addresses that are considered private.

But apparently, the 0.0.0.0 IP address is special. This strange IP is named “This host on this network” or simply “localhost,” and has “multiple uses.”

“We ran a dummy HTTP server on localhost (127.0.0.1). We then tried to access it through an external domain from Javascript, using 0.0.0.0. It … simply worked. The request reached the server,” the researchers said.

While the browser blocked the server’s response to the “attacker,” that still means that “public websites can access any open port on your host, without the ability to see the response.”

Researchers quickly discovered vulnerable applications and estimated that there are many more.

Ray, a popular open-source AI framework, and Selenium Grid, a smart proxy server for running tests in parallel on multiple machines, could both be attacked from the browser using 0.0.0.0 as the attack vector. Then, researchers were able to access PyTorch TorchServe, a framework for deploying machine learning models.

0.0.0.0 can also be used to track users online, as it can fingerprint anonymous users who have no cookies and have never logged in. The IP address can be used for port scanning, as many users have different sets of ports open.

“Attackers can use public domains to attack services running on localhost and even gain arbitrary code execution (RCE), all using a single HTTP request,” the researchers concluded.

What’s worse, many websites already incorporate requests to 0.0.0.0. According to the report, as many as ~100K public websites may be communicating with 0.0.0.0 as of August 2024, corresponding to 0.015% of all websites. These pages could be malicious.

Apple, Mozilla, and Googe are all working to fix this flaw and block access to 0.0.0.0. Chrome will start blocking access, starting with Chromium version 128, and the gradual rollout of the change will be completed by Chrome 133.

Apple Safari will block access in its upcoming version, iOS 18. Mozilla has no immediate fix for Firefox, but it is also in progress. Mozilla has changed the Fetch specification (RFC) to block 0.0.0.0 as a temporary fix.