Not just an Android vulnerability? Also, related to 0.0.0.0 Day?
Not just an Android vulnerability? Also, related to 0.0.0.0 Day?
Posted Jun 12, 2025 3:51 UTC (Thu) by KJ7RRV (subscriber, #153595)Parent article: Covert web-to-app tracking via localhost on Android
Also, this seems to be somewhat related to the 0.0.0.0 Day [1] vulnerability affecting browsers on Mac and Linux? The difference is that with Local Mess, the localhost listener is part of the exploit, whereas with 0.0.0.0 Day, it is the target being exploited, but both involve connections to local ports.
I believe my ZeroTest vulnerability checker [2] for 0.0.0.0 Day should also detect listeners intended to exploit Local Mess (since it is essentially a port scanner), and installing uBlock Origin or Stop PNA [3], an extension written to protect against 0.0.0.0 Day, should protect against Local Mess as well.
Of course, these only work on mobile browsers that support extensions; Firefox is the only one that I know of that does. uBlock Origin, as a recommended extension, can be easily installed in the default configuration; Stop PNA must be sideloaded [4], which is somewhat harder.
[1] https://www.oligo.security/blog/0-0-0-0-day-exploiting-lo...
[2] http://zerotest.kj7rrv.com/
[3] https://codeberg.org/gs/stop-pna
[4] https://www.ghacks.net/2023/12/18/firefox-nightly-for-and...
Posted Jun 12, 2025 3:55 UTC (Thu)
by KJ7RRV (subscriber, #153595)
[Link]
> Q: Does this only affect Android users? What about iOS or other platforms?
> A: We have only obtained empirical evidence of this web-to-native ID bridging Meta and Yandex web scripts, which exclusively targeted mobile Android users. No evidence of abuse has been observed in iOS browsers and apps that we tested. That said, similar data sharing between iOS browsers and native apps is technically possible. iOS browsers, which are all based on WebKit, allow developers to programmatically establish localhost connections and apps can listen on local ports. It is possible that technical and policy restrictions for running native apps in the background may explain why iOS users were not targeted by these trackers. We note, however, that our iOS analysis is still preliminary and this behavior might have also violated PlayStore policies. Beyond mobile platforms, web-to-native ID bridging could also pose a threat on desktop OSes and smart TV platforms, but we have not yet investigated these platforms.
Posted Jun 12, 2025 9:52 UTC (Thu)
by grawity (subscriber, #80596)
[Link] (1 responses)
As I understand it – it would, but... most desktop platforms don't have that kind of application software installed (nor is such software *available* at all, when it comes to the usual suspects – when was the last time a "Facebook" desktop app existed for Windows? probably in Win8 UWP era?), unlike mobile platforms where having such software is "normal" and commonplace.
> Also, this seems to be somewhat related to the 0.0.0.0 Day
"the 0.0.0.0 Day"? ...I'm sorry, but that sounds like such a grandiose name for what seems like a very regular vulnerability. It definitely beats "Meltdown" by a mile. What will come next? "git checkout master of Disaster"? "Ultra LaserJet"? "Segfault of Doctor Doom"?
Posted Jun 12, 2025 11:48 UTC (Thu)
by rschroev (subscriber, #4164)
[Link]
WhatsApp (which is also Meta) has an app. It's supposed goal is to enable/improve calls and screen sharing on your desktop, but it wouldn't totally surprise me to learn they also use it for exploits like this.
Not just an Android vulnerability? Also, related to 0.0.0.0 Day?
Not just an Android vulnerability? Also, related to 0.0.0.0 Day?
Not just an Android vulnerability? Also, related to 0.0.0.0 Day?