18-Year Browser Flaw Affecting Apple, Chrome, and Mozilla Exposed, Forbes Reports
For 18 years, leading browsers had a flaw that allowed hackers to exploit private networks through the 0.0.0.0 IP address, as first reported by Forbes.
The main leading browsers affected by this vulnerability are Apple, Google Chrome, and Mozilla Firefox, discovered by Oligo startup. The discovered vulnerability enabled hackers to breach private networks, due to how browsers handle queries to the 0.0.0.0 IP address.
Silent, but Deadly, Threat
These search engines take the queries to be sent to 0.0.0.0 and then redirect them to other IP addresses such as “localhost” – private and used for testing development code.
It is usually breached by hackers to send malicious requests to the 0.0.0.0 IP address, gaining access to data that is supposed to be private. Researchers of Oligo named this vulnerability the “0.0.0.0-day” attack.
According to Oligo AI Security Researcher, Avi Lumelsky, “Exploiting 0.0.0.0-day can let the attacker access the internal private network of the victim, opening a wide range of attack vectors.”
How Does It Work?
In case of an attack, the vulnerability allows hackers to dupe targets into visiting what appear to be harmless sites. Once visited, the sites will make illicit requests to the 0.0.0.0 IP address for the loading of internal files and messages. While this primarily affects people hosting web servers, the vulnerable systems count is still very large.
Researchers discovered that the Ray AI framework is vulnerable to attacks, with prominent firms such as Amazon and Intel adopting it for training AI models. Hackers could execute rogue code on a server running Ray or any app which uses localhost reachable via 0.0.0.0.
Ray AI Framework
Ray AI, an open-source framework, provides the needed grounds for scalable and flexible deployment of AI and machine learning models on many machines. Ray supports a wide range of applications, such as reinforcement learning, hyperparameter tuning, and large-scale data processing.
Google security developer, David Adrian said in chromium forum in June that, “We’ve had multiple reports of malware leveraging this to attack specific developer tooling frameworks.”
Apple Macs and Microsoft-maintained Linux machines have a high potential of being impacted by such attacks. Windows, on the other hand, is not subject to them, since Microsoft has blocked 0.0.0.0 on its operating system (OS).
Quick to Reach a Solution
In a response to the discovered loophole, Apple told Forbes it will block all attempts to hit 0.0.0.0 in the beta version of macOS 15 Sequoia.
The Chromium, and Chrome security teams at Google, are already planning similar measures. Chromium is a speed-oriented, secure, and modern web standard-compliant open-source web browser project from which Google Chrome and other web browsers are derived.
However, Mozilla is yet to introduce a fix in Firefox due to concerns over potential compatibility problems.
Final Thoughts
The exposure of the 0.0.0.0 vulnerability in major leading browsers should raise an alarm that even the most trusted technologies could have lingering dangers.
The “0.0.0.0-day” attack underscores just how advanced in nature cyber threats can be, and particularly shows that caution must always be a priority when dealing with cyberattacks. As tech giants like Apple and Google rush to fix this flaw, one cannot deny that security is not to be ignored in any way, especially that the world is further moving towards digitalization.
Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Tech sections to stay informed and up-to-date with our daily articles.