Google Chrome, Apple Safari, and Mozilla Firefox browsers do not correctly handle requests to IP address 0.0.0.0, directing requests to other addresses, including localhost, which is often used when developing code. Hackers have already exploited this vulnerability by sending requests to their victim’s 0.0.0.0 address, which gave them access to sensitive information, cybersecurity experts at the Israeli company Oligo said. They named this attack pattern “0.0.0.0-day.”
In this attack scheme, the attacker tricks their victim into visiting a site that appears harmless, but sends a malicious request to access files via address 0.0.0.0. At the first stage of the invasion, the hacker can gain access to the developer’s code and internal messages; but this attack also opens access to the victim’s local network. This means that the scheme is limited to attacking only individuals and companies that host the web servers themselves.
The 0.0.0.0-day mechanism allows, for example, to run malicious code on a server hosting the Ray AI framework, which is used to train artificial intelligence by the largest companies, including Amazon and Intel. This is not a theoretical threat—Google cybersecurity engineer David Adrian spoke about malware exploiting this vulnerability. This type of attack is possible on computers running macOS and Linux, but not Windows—Microsoft has blocked access to the 0.0.0.0 address across the entire OS. Apple said it intends to block all attempts by sites to access this address in the macOS 15 Sequoia beta; cybersecurity experts at Google Chrome and Chromium plan to do the same.
But Mozilla is not yet ready to offer the same solution for Firefox – the browser developer said that this could cause crashes on servers using the 0.0.0.0 address as a replacement for localhost, so a standards-based solution needs to be made. But Israeli cybersecurity experts insist the threat is significant: “By allowing 0.0.0.0, you are allowing everything.” They intend to present a detailed report at the DEF CON conference in Las Vegas next weekend.