Description
The vulnerability addressed by this local-network-access proposal has been an interest of mine ever since I discovered the 2019 vulnerability in Zoom. That vulnerability allowed anyone to hijack the webcam of anyone's computer due to a lack of protection around the localhost webserver Zoom secretly installed on an estimated ~4 million macs. That vulnerability, Assetnote discovered, later turned out to be an RCE vulnerability.
Over the past several years, I've been collecting a list of these vulnerabilities adjacent to this in my head (and some here mozilla/standards-positions#143), and this seems like a good place to capture all of them again:
| Vulnerability | Year | Real‑world Impact | What Broke | Link to Post |
|---|---|---|---|---|
| JetBrains IDEs HTTP API | 2016 | RCE on Windows/macOS via project load from attacker-controlled share; file read from local disk | Local HTTP server with no auth, open CORS, and path traversal | Link |
| TrendMicro Password Manager | 2016 | RCE and password theft via browser local API | Node.js app exposed 70+ unauthenticated API endpoints to browser | Link |
| Princeton IoT Device Attacks | 2018 | Websites could discover, fingerprint, and control IoT devices on local network | Lack of authentication and open local APIs in IoT devices; exploited via JavaScript in browser | Link |
| PortSwigger Intranet Port Scanning | 2018 | Browser-based intranet scanning; internal network mapping & fingerprinting | JavaScript-based iframe load detection to infer open ports reliably across major browsers | Link |
| Zoom Localhost Web Server | 2019 | Forced camera access; silent Zoom reinstall | Undocumented localhost web server accepted unauthenticated requests | Link |
| Zoom Localhost RCE (Assetnote Follow-up) | 2019 | Automatic installation of malicious package via Zoom server → macOS RCE | Logic flaw in domain suffix validation enabling download/install of arbitrary installer via /launch |
Link |
| Dell SupportAssist Localhost RCE | 2019 | RCE from local network; websites could launch executables via Dell's local HTTP server | SupportAssist exposed an HTTP API with weak origin validation, allowing command execution via browser | Link |
| Null Sweep Port Scanning | 2020 | Websites fingerprinted users by scanning localhost ports | WebSocket/timing-based port scan from browser | Link |
| LocalMess Android App Tracking | 2024 | Websites linked anonymous browsing to app login status | Abuse of localhost ports to exfiltrate identifiers from mobile apps | Link |
I plan to add more to this list as I'm made aware of more examples.
This is a 19 year old security vulnerability that still hasn't been fixed: https://bugzilla.mozilla.org/show_bug.cgi?id=354493
Given this history, I think there's a clear and obvious case for why this vulnerability need to be addressed by the browsers. This recent case where Meta and Yandex's spyware were both leveraging this mechanism as a deanonymization strategy starkly points to how much a protection against this behaviour is needed.
Personally, I think that it's well past time to lay this vulnerability at the feet of browser vendors, this is your mess, and your responsibility to clean up.