bleepingcomputer[.]com/news/security/18-year-old-security-flaw-in-firefox-and-chrome-exploited-in-attacks/
Despite being reported in 2008, 18 years ago, this problem remains unresolved on Chrome, Firefox, and Safari, though all three have acknowledged the problem and are working towards a fix.Researchers at Oligo Security report that the risk not only makes attacks theoretically possible, but has observed multiple threat actors exploiting the vulnerability as part of their attack chains.
Malicious websites can send HTTP requests to 0.0.0.0 targeting a service running on the user's local machine, and due to a lack of consistent security, these requests are often routed to the service and processed.
Oligo reports a sudden uptick in the number of public websites communicating with 0.0.0.0 since last month, which has now reached about 100,000.
Google Chrome, the world's most popular web browser, has decided to take action and block access to 0.0.0.0 via a gradual rollout lasting from version 128 (upcoming) until version 133.Mozilla Firefox does not implement PNA, but it's a high development priority. Until PNA is implemented, a temporary fix has been set in motion, but no rollout dates were provided.
Apple has implemented additional IP checks on Safari via changes on WebKit and blocks access to 0.0.0.0 on version 18 (upcoming), which will be introduced with macOS Sequoia.