{"id":25928,"date":"2019-07-11T16:39:07","date_gmt":"2019-07-11T20:39:07","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=25928"},"modified":"2019-07-17T15:31:53","modified_gmt":"2019-07-17T19:31:53","slug":"why-do-web-browsers-allow-access-to-the-local-network","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2019\/07\/11\/why-do-web-browsers-allow-access-to-the-local-network\/","title":{"rendered":"Why Do Web Browsers Allow Access to the Local Network?"},"content":{"rendered":"

Jeff Johnson<\/a>:<\/p>\n

\n

Since constantly requiring confirmation is obviously incredibly annoying, Apple has conveniently exempted some of its own apps from the requirement. For example, macappstore<\/code> and macappstores<\/code> URLs will automatically open App Store app without your confirmation.<\/p>\n<\/blockquote>\n

But, curiously, Safari does prompt for opening the News app.<\/p>\n\n

\n

Zoom is certainly deserving of criticism. But I’ve seen very few people stop to ask, how was Zoom’s little trick even possible in the first place? Why does Safari allow a web page, zoom.us<\/code>, to make requests to a localhost server? Is this possibility not surprising to you? It was surprising to me! The problem is actually worse than this. The major browsers I’ve tested — Safari, Chrome, Firefox — all allow web pages to send requests not only to localhost but also to any IP address on your Local Area Network! Can you believe that? I’m both astonished and horrified.<\/p>\n

[…]<\/p>\n

Moreover, a web page can even scan your network to find the addresses of your devices. I found a recent paper by Forcepoint<\/a> that discusses in detail these kinds of attacks on your LAN from the web. So security researchers are aware of this possibility, but it seems that the browser vendors are doing nothing to plug the holes in their web browsers!<\/p>\n<\/blockquote>\n\n

It seems strange that browsers prohibit access to local files<\/a> but not the local network.<\/p>\n\n

Bob Burrough<\/a>:<\/p>\n

\n

Run some Javascript to scan common local router IP’s and save the results to the server. It would even map to your WAN IP so they could start hitting your router externally. The web is an absolute mess.<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n