There’s a pesky loophole lurking in every major browser, including Apple’s Safari, Google Chrome, and Mozilla Firefox, that hackers have been exploiting for the past 18 years.
This breach lets hackers access private networks of homes and businesses, granting access to data that should have been private. As first reported by Forbes, researchers from Israeli cybersecurity startup Oligo explained how hackers exploited this loophole and how Apple is finally fixing it.
According to the researchers, this loophole is caused by the way browsers handle queries to a 0.0.0.0 IP address. Safari and the other browsers all accept queries to 0.0.0.0 by sending them to other IP addresses, including the “localhost” server that is often used to test in-development code. Hackers have been sending malicious requests to their target’s 0.0.0.0 IP address, allowing them to steal private data from victims.
“Developer code and internal messaging are good examples of some of the info that can be accessed right away,” Avi Lumelsky, an AI security researcher at Oligo, told the publication. “But more importantly, exploiting 0.0.0.0-day can let the attacker access the internal private network of the victim, opening a wide range of attack vectors,” such as files, messages, and credentials.
Apple has confirmed to Forbes that it will block websites’ attempts to hit 0.0.0.0 in the beta of macOS 15 Sequoia. With that, the company is finally fixing an issue haunting Mac users for the past 18 years. Google is also planning to do the same with Chrome, but Mozilla hasn’t yet developed a solution for Firefox.
It’s important to note that even when macOS Sequoia is available to all users, Apple will release a Safari 18 update that will be available for previous Mac operating systems, so users on macOS Sonoma and macOS Ventura will also be safe from this attack.