Thursday, July 11, 2019 [Tweets] [Favorites]

Why Do Web Browsers Allow Access to the Local Network?

Jeff Johnson:

Since constantly requiring confirmation is obviously incredibly annoying, Apple has conveniently exempted some of its own apps from the requirement. For example, macappstore and macappstores URLs will automatically open App Store app without your confirmation.

But, curiously, Safari does prompt for opening the News app.

Zoom is certainly deserving of criticism. But I’ve seen very few people stop to ask, how was Zoom’s little trick even possible in the first place? Why does Safari allow a web page, zoom.us, to make requests to a localhost server? Is this possibility not surprising to you? It was surprising to me! The problem is actually worse than this. The major browsers I’ve tested — Safari, Chrome, Firefox — all allow web pages to send requests not only to localhost but also to any IP address on your Local Area Network! Can you believe that? I’m both astonished and horrified.

[…]

Moreover, a web page can even scan your network to find the addresses of your devices. I found a recent paper by Forcepoint that discusses in detail these kinds of attacks on your LAN from the web. So security researchers are aware of this possibility, but it seems that the browser vendors are doing nothing to plug the holes in their web browsers!

It seems strange that browsers prohibit access to local files but not the local network.

Bob Burrough:

Run some Javascript to scan common local router IP’s and save the results to the server. It would even map to your WAN IP so they could start hitting your router externally. The web is an absolute mess.

Previously:

Update (2019-07-15): See also: Hacker News.

Update (2019-07-17): Maxwell Swadling:

re web browsers, use LuLu or Little Snitch. They are great for lots of reasons, not just web browsers.

Agreed, but unfortunately most people don’t even know about such utilities—hence the argument for browsers providing some security here.

7 Comments

[…] browsers continue to allow remote pages to access local […]

On macOS Catalina they've added Apple News to the exemptions. This is all hard-coded in the private Safari framework.

I wonder if this is how app.plex.tv connects to my local plex server.

Mark Lilback

Without local network connections, how would you manage a local router? A NAS like a Synology? Test a webapp your building in docker container?

Want to scare scientists off the platform? Tell them they can't connect to RStudio, Spark, Hadoop, or any other big data tool that works via a local http connection.

I know a number of data scientist looking to switch from the Mac because of talk, led by Jason Snell, of how Apple should switch to ARM chips. Ditching native x64_64 docker containers is a sure fire way to lose all the data scientist I know. Same goes for anyone doing serious backend server-side work. Being able to run the exact same disk images on your Mac as you do on your Linux server is the best innovation in server-side development for at least twenty years.

@Mark The issue isn’t so much allowing local network connections as the fact that local connections can happen as a result of loading a remote page. There’s a big difference between typing in a Bonjour address and having a random site probe your network without the browser asking permission or even telling you this is happening. So I think this could be made much more secure without impacting any of the things that you mention.

Ghost Quartz

@Dillan, possibly, Plex does some interesting things to make the web app work with over TLS, so it depends on your configuration, and whether you can access your Plex server over the Internet.

IIRC, it’s likely connecting to a domain in the form of `1-2-3-4..plex.direct`, where `` is a hash unique to your account, and `1-2-3-4` is the IP your server advertises to Plex’s backend. They do this so they can issue you a wildcard certificate to `*..plex.direct`, which will be trusted by your browser, and remains valid even if your Plex server’s IP changes. However, many routers and ISPs have DNS rebinding protections, so if you’re using your ISP’s or router’s DNS server, it will refuse to resolve a domain that points to a local network or loopback IP.

See: https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/ and https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/

Ghost Quartz

Shoot, part of my comment got parsed incorrectly. It should read:

“IIRC, it’s likely connecting to a domain in the form of `1-2-3-4.HASH.plex.direct`, where `HASH` is a hash unique to your account, and `1-2-3-4` is the IP your server advertises to Plex’s backend. They do this so they can issue you a wildcard certificate to `*.HASH.plex.direct`…”

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment