Thomas Brewster / Forbes: Researchers: hackers have used an 18-year-old flaw in how Safari, Chrome, and Firefox on macOS handle queries to a 0.0.0.0 IP address to breach private networks — Weaknesses in Chrome, Firefox and Safari gave hackers a route into internal networks, even those protected by firewalls, security researchers warn.
The headline makes it sound like it’s a macOS issue but reading the post from the researchers this is a browser flaw affecting essentially all browsers on macOS and Linux but not Windows for some reason. It’s also not a direct link to any particular article but a list of articles and tweets about the topic. Here’s the write-up from the researchers. Safari and Chrome are getting patches but Firefox is not even though the problem was actually first disclosed in a Firefox bug report in 2006. Firefox developers could not agree if it was a problem or not so it’s been closed and reopened several times. It sounds like Firefox will have to implement the Private Network Access specification proposed by Google to stop this now that the researchers have shown it’s a vulnerability and looks like it’s actually already being actively exploited.
I am by no means an expert on any of this but just trying to summarize what I read. External websites would make requests of local network or local machine resources. The Cross-Origin Resource Sharing (CORS) protocol is supposed to prevent access to these more private resources from less private locations but it seems it only does this by sending a response telling the website this access is not allowed (unless the user grants authorization?). That’s okay if you’re trying to prevent the external website from loading resources from an internal device, but these attackers can also send HTTP requests where they don’t care about the response and have been able to activate code on unsecured services running on local resources. Private Network Access extends the CORS protocol by preventing these requests from even being made unless permission is explicitly granted but I guess 0.0.0.0 was missed as a resource to block.
It looks like the researchers were able to find active attacks running in the wild, possibly for years, both for fingerprinting users by tracking devices and services available on the machine’s local network and actually gaining malicious access to those local networks.
anything those of us on linux should do in the meantime, or is this solely left up to which browser one uses?
Reading the article from the researchers it looks like these requests are specifically made using JavaScript, so maybe disable it? Maybe there’s a way to block JavaScript from making any requests of 0.0.0.0? Or start using a Chromium browser? It’s going to start rolling out as a trial beginning with version 128 and expected to be shipping by version 133. There’s been an open bug report for this in Firefox since 2006 but there’s been a debate about whether it was really an issue or not so it was closed and reopened several times and it sounds like they might have to add support for a whole new protocol that’s only a proposal and not a W3C standard or even on the standards track. I’m guessing this might not be fixed in Firefox very quickly.
If I use a browser based on Firefox (like Waterfox, Librewolf, or Ghostery) would that browser need to wait for Mozilla to fix it and inherit their fix, or could they address it in their own version of Firefox?