- Confusion over how to handle requests for 0.0.0.0 has exposed a security vulnerability in multiple browsers.
- Attackers could use this method to bypass Private Network Access protection.
- Google’s got a fix for Chrome that’s rolling out over the next few releases.
Zero’s a funny number, and one that’s been causing problems for computers ever since the first time someone tried to divide by zero. When we’re using numbers to express specific things, the idea of “nothing” also being a valid option isn’t always intuitive to handle. Today we’re looking at what can happen when some zeroes are interpreted by software in a way users weren’t expecting, and how threat actors are able to use that mishandling to their advantage.
Our focus is on IP addresses (and the old IPv4, specifically), which uniquely identify every system on a network through a set of four numbers. As you may be aware, some of these numbers have special properties, like the IP address 127.0.0.1, which is known as localhost and serves as a loopback — basically, it’s like holding up a mirror to a device on a network, and no matter who you are, when you try to connect to 127.0.0.1, you’re just trying to connect back to your own device. This sort of behavior is pretty much standard everywhere, and software knows how to handle it.