Localhost detour from public to private networks: Vulnerabilities and mitigations

Dor Israeli; Alon Noy; Yehuda Afek; Anat Bremler-Barr

doi:10.1007/s12095-024-00750-x

Localhost detour from public to private networks: Vulnerabilities and mitigations

Dor Israeli^*, Alon Noy, Yehuda Afek, Anat Bremler-Barr

^*Corresponding author for this work

Research output: Contribution to journal › Article › peer-review

Abstract

This paper presents a new localhost browser based vulnerability and corresponding attack that opens the door to new attacks on private networks and local devices. We show that this new vulnerability may put hundreds of millions of internet users and their IoT devices at risk. We demonstrate the viability of the attack on a real product, "Folding@Home", of which we did a responsible disclosure of the specific vulnerability. Following the attack presentation, we suggest three new protection mechanisms to mitigate this vulnerability, across the different entities of the attack (broswer, localhost server, and attacked IOT). This new attack bypasses recently suggested protection mechanisms designed to stop browser-based attacks on private devices and local applications (Chromium and Rigoudy 2021, Afek et al. 2019), of which we also did a responsible disclosure.

Original language	English
Pages (from-to)	597-620
Number of pages	24
Journal	Cryptography and Communications
Volume	17
Issue number	3
DOIs	https://doi.org/10.1007/s12095-024-00750-x
State	Accepted/In press - 2024

Funding

Funders	Funder number
Blavatnik Family Fund
Blavatnik Family Foundation
Blavatnik Interdisciplinary Cyber Research Center
International Committee of the Red Cross
Tel Aviv University

Keywords

Browser based attack
IoT
Localhost
Private network

Access to Document

10.1007/s12095-024-00750-x

Cite this

@article{d99518164957429098e9abfd6786deae,

title = "Localhost detour from public to private networks: Vulnerabilities and mitigations",

abstract = "This paper presents a new localhost browser based vulnerability and corresponding attack that opens the door to new attacks on private networks and local devices. We show that this new vulnerability may put hundreds of millions of internet users and their IoT devices at risk. We demonstrate the viability of the attack on a real product, {"}Folding@Home{"}, of which we did a responsible disclosure of the specific vulnerability. Following the attack presentation, we suggest three new protection mechanisms to mitigate this vulnerability, across the different entities of the attack (broswer, localhost server, and attacked IOT). This new attack bypasses recently suggested protection mechanisms designed to stop browser-based attacks on private devices and local applications (Chromium and Rigoudy 2021, Afek et al. 2019), of which we also did a responsible disclosure.",

keywords = "Browser based attack, IoT, Localhost, Private network",

author = "Dor Israeli and Alon Noy and Yehuda Afek and Anat Bremler-Barr",

note = "Publisher Copyright: {\textcopyright} The Author(s) 2024.",

year = "2024",

doi = "10.1007/s12095-024-00750-x",

language = "אנגלית",

volume = "17",

pages = "597--620",

journal = "Cryptography and Communications",

issn = "1936-2447",

publisher = "Springer Publishing Company",

number = "3",

}

TY - JOUR

T1 - Localhost detour from public to private networks

T2 - Vulnerabilities and mitigations

AU - Israeli, Dor

AU - Noy, Alon

AU - Afek, Yehuda

AU - Bremler-Barr, Anat

N1 - Publisher Copyright: © The Author(s) 2024.

PY - 2024

Y1 - 2024

N2 - This paper presents a new localhost browser based vulnerability and corresponding attack that opens the door to new attacks on private networks and local devices. We show that this new vulnerability may put hundreds of millions of internet users and their IoT devices at risk. We demonstrate the viability of the attack on a real product, "Folding@Home", of which we did a responsible disclosure of the specific vulnerability. Following the attack presentation, we suggest three new protection mechanisms to mitigate this vulnerability, across the different entities of the attack (broswer, localhost server, and attacked IOT). This new attack bypasses recently suggested protection mechanisms designed to stop browser-based attacks on private devices and local applications (Chromium and Rigoudy 2021, Afek et al. 2019), of which we also did a responsible disclosure.

AB - This paper presents a new localhost browser based vulnerability and corresponding attack that opens the door to new attacks on private networks and local devices. We show that this new vulnerability may put hundreds of millions of internet users and their IoT devices at risk. We demonstrate the viability of the attack on a real product, "Folding@Home", of which we did a responsible disclosure of the specific vulnerability. Following the attack presentation, we suggest three new protection mechanisms to mitigate this vulnerability, across the different entities of the attack (broswer, localhost server, and attacked IOT). This new attack bypasses recently suggested protection mechanisms designed to stop browser-based attacks on private devices and local applications (Chromium and Rigoudy 2021, Afek et al. 2019), of which we also did a responsible disclosure.

KW - Browser based attack

KW - IoT

KW - Localhost

KW - Private network

UR - http://www.scopus.com/inward/record.url?scp=85208812171&partnerID=8YFLogxK

U2 - 10.1007/s12095-024-00750-x

DO - 10.1007/s12095-024-00750-x

M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???

AN - SCOPUS:85208812171

SN - 1936-2447

VL - 17

SP - 597

EP - 620

JO - Cryptography and Communications

JF - Cryptography and Communications

IS - 3

ER -

Localhost detour from public to private networks: Vulnerabilities and mitigations

Abstract

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this