Comment by asimovDev
5 days ago
Embarrassed to say that I wasn't aware of this practice. Are there malicious uses for this beyond fingerprinting?
5 days ago
Embarrassed to say that I wasn't aware of this practice. Are there malicious uses for this beyond fingerprinting?
Yes. Facebook was using this trick on Android. Meta's android apps would host a server on localhost, and their sites would communicate with this local server to pass tracking information that would otherwise be blocked by all browser protection methods on Android. I guess it is still fingerprinting, but at the most extreme end.
https://news.ycombinator.com/item?id=44169115
Mostly it's great for tracking although I'm sure it could also be used to exfiltrate data (e.g. if the user is running something sensitive on localhost).
https://www.digitalsamba.com/blog/metas-localhost-spyware-ho...
Routers with vulnerable URLs. You can search for: "router" "authentication bypass".
Isn't CORS supposed to prevent this?
CORS doesn’t prevent requests (i.e. GET requests from IMG tags, or XHR preflight requests), it only prevents web apps from processing the response if the responding server doesn’t agree. And a simple GET or even OPTIONS request can be enough to exploit vulnerabilities in routers and other local devices.
https://files.catbox.moe/g1bejn.png
When I visit the site from Safari on macOS I see this in the console. Are there any particular services that use port 8888 for the website to do this?
https://my.f5.com/manage/s/article/K000138794
It seems to be part of some "bot defense" product by these F5 people, to "test the different browser capabilities". I doubt it's intended to hit a real endpoint on any system.