Eighteen years ago, a vulnerability known as “0.0.0.0 Day” was disclosed, allowing malicious websites to bypass security measures in Google Chrome, Mozilla Firefox, and Apple Safari and interact with local network services.
This flaw specifically affects devices running Linux and macOS, while Windows systems are not vulnerable. The exploitation of this issue can lead to unauthorized changes in settings, access to protected information, and even remote code execution.
Despite the problem being reported in 2008, it remains unresolved across these major browsers, though they have acknowledged the issue and are working towards solutions. Oligo Security’s recent reports highlight that the vulnerability is not just theoretical; several threat actors have actively exploited it as part of their attack strategies, underscoring the seriousness of the flaw.
The 0.0.0.0 Day vulnerability arises from inconsistent security mechanisms among browsers and the lack of standardization, allowing public websites to communicate with local network services via the “wildcard” IP address 0.0.0.0. This address typically represents all IP addresses on the local machine or network interfaces and can act as a placeholder or be interpreted as localhost (127.0.0.1) in local networking scenarios.
Malicious websites can send HTTP requests to the 0.0.0.0 IP address, which are often processed by local services due to inconsistent security implementations. Existing protections like Cross-Origin Resource Sharing (CORS) and Private Network Access (PNA) fail to adequately address this risk.
While CORS can block responses from reaching attackers, it does not prevent requests made in “no-cors” mode from connecting to local services. PNA fails to block requests to the special 0.0.0.0 address, making it vulnerable.
Oligo Security has documented real-world exploitation of this flaw. The ShadowRay campaign targets local AI workloads, while the Selenium Grid campaign exploits the flaw to conduct code execution and reconnaissance.
Another instance, the ShellTorch vulnerability, involves the TorchServe web panel being bound to 0.0.0.0, exposing it to malicious requests. These cases highlight the practical dangers of the vulnerability and its use in active attacks.
In response to Oligo’s findings, browser developers are taking steps to address the issue. Google Chrome is gradually rolling out a block on 0.0.0.0, with full implementation expected from version 128 to 133.
Mozilla Firefox is prioritizing the implementation of PNA, while Apple Safari is updating WebKit to block 0.0.0.0 access in version 18. Until these fixes are in place, developers are advised to implement additional security measures, such as PNA headers, verifying HOST headers, and using HTTPS to mitigate potential risks.
