- cross-posted to:
- firefox@lemmy.ml
- cross-posted to:
- firefox@lemmy.ml
You must log in or register to comment.
…
Oligo Researchers have found that public websites (like domains ending in .com) are able to communicate with services running on the local network (localhost) and potentially execute arbitrary code on the visitor’s host by using the address 0.0.0.0 instead of localhost/127.0.0.1.
Remediation In Progress: Browsers Will Soon Block 0.0.0.0
Following responsible disclosure, HTTP requests to 0.0.0.0 are now being added to security standards using a Request for Comment (RFC), and some browsers will soon block access to 0.0.0.0 completely. 0.0.0.0 will not be allowed as a target IP anymore in the Fetch specification, which defines how browsers should behave when doing HTTP requests.
…
Um, OK? I dunno why you’d wanna block access to that IP.
The first hyperlink in that post explains exactly why:
https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser
Oh man, I thought, it was some silly celebration day for the 0.0.0.0 address, so I didn’t even click on the link at first.
