https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser

Cybersecurity researchers have discovered a critical vulnerability affecting all major web browsers (Google Chrome, Mozilla Firefox, Apple Safari) that could allow malicious websites to breach local networks. The flaw, dubbed “0.0.0.0 Day,” exploits inconsistencies in how browsers handle network requests and grants attackers potential access to sensitive local services.

The vulnerability arises from the way browsers handle the IP address “0.0.0.0,” which typically represents a generic or non-routable address within a network. Oligo Security researchers found that malicious websites can leverage this to bypass security restrictions and communicate with local software running on macOS and Linux devices.

This loophole potentially allows attackers to gain unauthorized access and execute code remotely on the victim’s machine, even bypassing Private Network Access (PNA) protections. Notably, Windows systems are not affected as they block access to 0.0.0.0 at the operating system level.

Researchers identified that public websites with “.com” domains can exploit this vulnerability to target local services on the visitor’s device using 0.0.0.0 instead of the standard “localhost” (127.0.0.1). This effectively bypasses PNA’s intended function of preventing external websites from accessing internal network endpoints.

In response to this critical finding, browser developers are expected to implement a complete block on access to 0.0.0.0, effectively closing the vulnerability and preventing future attacks. This change will likely deprecate the ability for public websites to directly access private network services.

The vulnerability highlights the importance of secure server implementations. As Oligo Security researcher Avi Lumelsky explains, “When services use localhost, they assume a constrained environment. This assumption… results in insecure server implementations.”

Users are advised to be cautious when visiting unfamiliar websites and to keep their browsers updated with the latest security patches. The update addressing this vulnerability is expected to be rolled out in the coming months.