The article literally doesn’t explain the vulnerability at all.
0.0.0.0 Day - 18 Yr Old Vulnerability Let Attackers Bypass All Browser Security
Submitted 4 months ago by Dnb@lemmy.dbzer0.com to technology@beehaw.org
https://cybersecuritynews.com/0-0-0-0-day/
Comments
tyler@programming.dev 4 months ago
floofloof@lemmy.ca 4 months ago
It keeps promising to, then goes off into more ChatGPT-style rambling. It’s a bad article.
Kissaki@beehaw.org 4 months ago
notably
Windows is not impacted by this issue.
biscuitswalrus@aussie.zone 4 months ago
I ended up reading it on bleeping computer since the linked site looks like an auto tldr bot saved 50% of the words. The important 50% was discarded.
drwho@beehaw.org 4 months ago
Everybody who could explain it well is at Hacker Summer Camp right now.
unconfirmedsourcesDOTgov@lemmy.sdf.org 4 months ago
I didn’t realize DEFCON was this weekend already, but this is a solid point 😂
Boomkop3@reddthat.com 4 months ago
Welp, I guess sandboxing a browser that has a sandbox might still be a good idea
sirico@feddit.uk 4 months ago
hunter2 Wow it works!
ssm@lemmy.sdf.org 4 months ago
Another big win for links2gang !links2@lemmy.sdf.org
dan@upvote.au 4 months ago
Seems like a TCP/IP stack issue rather than a browser issue… 0.0.0.0 is not supposed to be a valid address. The network stack should be dropping those packets.
drwho@beehaw.org 4 months ago
I’m inclined to agree. This looks like a misunderstanding of RFC 5735.
dan@upvote.au 4 months ago
which was based on RFC 1122, which states:
(section 3.3.6 just talks about broadcasts)
AndrasKrigare@beehaw.org 4 months ago
Yeah, I just did a quick test in Python to do a tcp connection to “0.0.0.0” and it made a loopback connection, instead of returning an error as I would have expected.
TehPers@beehaw.org 4 months ago
While I agree, it makes connecting to localhost as easy as
http://0:8080/
(for port 8080, but omit for port 80)dan@upvote.au 4 months ago
The thing is that it’s not supposed to work, so it’s essentially relying N undefined behaviour. Typing
[::1]:8080
is nearly as easy.I haven’t seen the PRs, but IP comparison should really be using the binary form of the IPv4 address (a 32-bit number), not the human-friendly form.