Thomas Brewster / Forbes: Researchers: hackers have used an 18-year-old flaw in how Safari, Chrome, and Firefox on macOS handle queries to a 0.0.0.0 IP address to breach private networks — Weaknesses in Chrome, Firefox and Safari gave hackers a route into internal networks, even those protected by firewalls, security researchers warn.
The headline makes it sound like it’s a macOS issue but reading the post from the researchers this is a browser flaw affecting essentially all browsers on macOS and Linux but not Windows for some reason. It’s also not a direct link to any particular article but a list of articles and tweets about the topic. Here’s the write-up from the researchers. Safari and Chrome are getting patches but Firefox is not even though the problem was actually first disclosed in a Firefox bug report in 2006. Firefox developers could not agree if it was a problem or not so it’s been closed and reopened several times. It sounds like Firefox will have to implement the Private Network Access specification proposed by Google to stop this now that the researchers have shown it’s a vulnerability and looks like it’s actually already being actively exploited.
I am by no means an expert on any of this but just trying to summarize what I read. External websites would make requests of local network or local machine resources. The Cross-Origin Resource Sharing (CORS) protocol is supposed to prevent access to these more private resources from less private locations but it seems it only does this by sending a response telling the website this access is not allowed (unless the user grants authorization?). That’s okay if you’re trying to prevent the external website from loading resources from an internal device, but these attackers can also send HTTP requests where they don’t care about the response and have been able to activate code on unsecured services running on local resources. Private Network Access extends the CORS protocol by preventing these requests from even being made unless permission is explicitly granted but I guess 0.0.0.0 was missed as a resource to block.
It looks like the researchers were able to find active attacks running in the wild, possibly for years, both for fingerprinting users by tracking devices and services available on the machine’s local network and actually gaining malicious access to those local networks.