Hackers Exploit 18-Year-Old ‘0.0.0.0-Day’ Loophole in Major Browsers
Apple Safari, Google Chrome, and Mozilla Firefox browsers have been found vulnerable to a critical security loophole known as the ‘0.0.0.0-day’ attack. This vulnerability has been present for the past 18 years, allowing hackers to potentially breach private networks of both homes and businesses, as reported by Israeli cybersecurity startup Oligo.
What is the 0.0.0.0-Day Attack?
The loophole is linked to how browsers handle queries to a 0.0.0.0 IP address. Normally, when browsers like Chrome, Safari, and Firefox receive queries to 0.0.0.0, they redirect these to other IP addresses such as ‘localhost’, a local server used for testing code. Hackers have exploited this behavior by sending malicious requests to the 0.0.0.0 IP address, gaining access to data that should remain private. This type of attack has been termed a ‘0.0.0.0-day’ attack.
How the Attack Works
In a typical 0.0.0.0-day attack, the hacker manipulates the target into visiting a malicious website. The website appears normal but sends a harmful request to the 0.0.0.0 IP address, allowing the hacker to access sensitive information such as developer code and internal messages. Avi Lumelsky, an AI security researcher at Oligo, pointed out that this could also let attackers access the internal private network of the victim, opening up multiple attack vectors.
Vulnerability Scope
Although the attack predominantly affects those hosting web servers, it’s estimated that a significant number of systems are still vulnerable. Notably, researchers found that the issue extends beyond just localhost to any application that uses localhost and can be reached via 0.0.0.0. Affected systems can include major frameworks like Ray AI, used by companies such as Amazon and Intel.
Real-World Impact
David Adrian, a Google security developer, highlighted real-world instances of malware exploiting this vulnerability to target specific developer tools. While Windows systems are protected (Microsoft blocked 0.0.0.0 on its OS), Apple Macs and Linux machines remain at risk.
Industry Response
Apple has announced plans to block all website attempts to hit 0.0.0.0 in the beta of macOS 15 Sequoia. Google’s Chromium and Chrome security teams are also working on similar fixes. However, Mozilla faces challenges as blocking 0.0.0.0 could disrupt servers using it as a localhost substitute. Mozilla emphasized the ongoing standards discussions to understand and mitigate these compatibility risks.
Gal Elbaz, cofounder and CTO of Oligo, warned that the risk remains significant. Allowing 0.0.0.0 effectively permits access that should be blocked, leaving systems exposed.
Presentation at DEF CON
The cybersecurity community will gain further insights when the researchers present their findings at the DEF CON conference in Las Vegas this weekend.
