Open letitz opened 2 years ago
It seems that 0.0.0.0
does not map to localhost
on Windows: https://superuser.com/questions/536156/how-do-i-get-0-0-0-0-to-resolve-to-localhost-when-browsing-a-url-that-contains-0
Still, its meaning differs based on the computer resolving the address.
I did a research on this manner an managed to fingerprint website visitors without any cookies.
POC: http://ports.sh
I did a research on this manner an managed to fingerprint website visitors without any cookies.
POC: http://ports.sh
but why did "you" make a seemingly new github account ( @avioligo ) to say that? why not use the same one @avilum ? seemed a bit fishy at first glance :D
EDIT: now "we" (presumably)know who (is the "external researcher" that) reported this https://issues.chromium.org/issues/332410234 then =) but no worries it's Access is denied to this issue
at this time xD
@correabuscar Because I work at oligo.security and currently work on this :)
See https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild
And I confirm @avioligo is my work account :) Thanks for thinking twice! It is very responsible @correabuscar
Currently in Chromium,
0.0.0.0
is sorted into the "unknown" address space, which means it mostly behaves as "public". This specification treats0.0.0.0
as "public".A public website can abuse this to load a resource from localhost by replacing
127.0.0.1
with0.0.0.0
, which routes to localhost on Mac and Linux.It seems that
0.0.0.0
should be treated as "local" instead, since its meaning is different for every host.