Another day, another vulnerability due to bad implementations. Interestingly, Windows not affected by it. Microsoft doing at least basic security right 
Also should’ve been blocked by the Block Outsider Intrusion into LAN uBO filter list, which I thought we used to recommend, but apparently we currently don’t. Thoughts @team?
3 Likes
it looks like there is going to be some sort of browser update fix.
In response to the findings in April 2024, web browsers are expected to block access to 0.0.0.0 completely, thereby deprecating direct access to private network endpoints from public websites.
2 Likes
I’ve been using
for a long time, no issues.
3 Likes
The beancounters must not have been able to find a way to override the security guys for this one 
I also use this. Would recommend it aswell. Was probably removed because some wanted to not recommend additional lists due to fingerprinting risks. I still stand by that addtional lists for most people are more beneficial than harm.
6 Likes
I haven’t followed this too closely. Is it still relevant to use the extra uBO list for Mullvad Browser, Firefox, Brave, etc.?
It’s still a good idea to use it even if this particular issue is resolved. It is generally a bad idea to let websites query resources on your LAN, which they are free to do for the most part.
Just remember that if you use legitimate websites that access things on your LAN (for example, Plex or Jellyfin, or maybe your router’s control panel) you might have to disable uBlock Origin on that site.
On Mullvad Browser it may make you more fingerprintable in theory, so you have to decide if that risk is worth it. I’d say the risk is pretty low, but I still recommend against modifying Mullvad Browser settings as a general rule. Might be better if @ruihildt wanted to enable that filter by default for everyone 
3 Likes
I checked with the NoScript developer, and they confirmed Mullvad browser is protected against this threat, by virtue of shipping NoScript with it by default.
NoScript protects against this attack with its LAN protection.
About the uBO filter list: “no, that’s a false solution because you could use a fake DNS record to work around the 0.0.0.0 rule. NoScript actually checks for DNS rebinding, too.”
6 Likes
DNS rebinding was indeed discussed a few years ago in uBO’s issue repo.
Btw, uBO has added ipaddress static network filter option which utilizes Firefox’ dns.resolve() and webRequest.onHeadersReceived.
Related commits:
https://github.com/gorhill/uBlock/commit/c6dedd253f
https://github.com/gorhill/uBlock/commit/030d7334e4
https://github.com/gorhill/uBlock/commit/6acf97bf51
Related filters:
https://github.com/uBlockOrigin/uAssets/blob/0b86acd1408e37f36c8b6b176f44c67c49796c0d/filters/privacy.txt#L1028
https://github.com/uBlockOrigin/uAssets/blob/0b86acd1408e37f36c8b6b176f44c67c49796c0d/filters/lan-block.txt#L107-L109
Some notes
The reason for additional webRequest.onHeadersReceived is because the IP result from extensions’ dns.resolve() (uBO, NoScript…) might be not the same as what browser would actually use at the end.
Some more reads at: Boosting Blind SSRF Attacks Using DNS Rebinding
The filters are available for Firefox and in dev build now. They could arrive when version 1.59.1+ is released.
Arkenfox and uBo Medium alrrady protect from this.
Browsers fixed this already anyway.