Facepalm: The 0.0.0.0 IPv4 address has historically been used as a non-standard "wildcard" to identify all IP addresses available on a network. Researchers have now discovered that it may also represent one of the most enduring security vulnerabilities in web-based internet access.
A report by Oligo Security highlights the dangers of the "0.0.0.0 Day" vulnerability, a security issue that could theoretically allow malicious websites to bypass even the most advanced browser protections and interact with services running on a local network. Researchers recently "rediscovered" the flaw, although knowledgeable cybercriminals have been attempting to exploit the bug for quite some time.
The flaw affects all available browser technologies, according to Oligo researchers, and is related to how these browsers handle network requests. A malicious web page could attempt to reach the non-existent 0.0.0.0 IP address, sending a poisoned packet to a random port on that address. A vulnerable browser could then route the request, potentially compromising network services running on the local (host) machine.
Interestingly, the bug affects macOS and Linux operating systems but not Windows. Chromium-based browsers, Apple Safari (WebKit), and Mozilla Firefox (Gecko) were all found to be vulnerable, Oligo noted. According to a Bugzilla thread about attacks against internal networks, Mozilla has been grappling with this controversial issue for 18 years.
Cross-Origin Resource Sharing (CORS) is a specification that controls access to restricted network resources, and the newer Private Network Access (PNA) draft specification is designed to clearly separate public and non-public networks within a browser. However, the 0.0.0.0 Day vulnerability was able to bypass both measures.
"The impact of 0.0.0.0 Day is far-reaching, affecting individuals and organizations alike," the researchers stated.
They also discovered active exploitation campaigns, such as the ShadowRay attack against AI workloads. Fortunately for macOS and Linux users, all three major browser engine developers have responded quickly to Oligo's call for a working solution to the flaw.
Google announced that Chromium/Chrome will soon block access to 0.0.0.0, through a gradual rollout that'll start in Chrome 128 before wrapping up in Chrome 133. Apple has also updated WebKit's code to block access to 0.0.0.0. Mozilla has yet to provide a production-ready fix, but the company has expressed a willingness to "engage" in discussions about the issue.
It's worth noting that Mozilla Firefox has not yet implemented PNA, as the CORS protocol was designed to be backward-compatible while still providing safeguards against improper access to local network resources. For now, Mozilla has updated the Fetch specification to block access to 0.0.0.0.