This is ridiculous. Not that I'm defending Transmission on their slowness here, but this is fundamentally a chrome issue. Websites being able to access services running on localhost is a security vulnerability, a sandbox escape. People assume restricting incoming connections to localhost means that only localhost can connect, because that is exactly what that is MEANT to do. I don't think it's reasonable for every service in the world to now assume the loopback interface is hostile because browsers can't get their act together.
It would be shortsighted to simply call this a Chrome bug.
You can use this attack to make the browser communicate with somebody else’s computer. If that computer happens to give the user privileges because of his IP address, for instance because he is in the same home or because he is on localhost, the attacker can then use these privileges.
One could imagine Chrome blocking this attack with respect to localhost but blocking connections to machines on the home network is farfetched.
And note that it’s not just web services, the browser can start general tcp connections.
Isn't there just the one flaw here? That random websites can make connections to localhost through a browser? Are we now going to enumerate every possible thing that accepts connections on localhost without authentication?
>"I regularly encounter users who don't accept that websites can access services on localhost or their intranet,"
That seems to be a very reasonable thing to not accept...
Hard to call it a flaw... it's definitely problematic, but it's seen legitimate uses in many web apps (Spotify, Discord to think of two) as a way to communicate with their own desktop client from the web.
The other related issue is that communicating with localhost over https is very hard for an app. I wonder if there is a potential way to kill two birds with one stone here with some browser changes.
> I regularly encounter users who don't accept that websites can access services on localhost or their intranet," Ormandy wrote. "These users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machine—but somehow believe that accessing a website 'transfers' execution somewhere else. It doesn't work like that, but this is a common source of confusion."
does this mean a malicious site can query data from a running service, such as local MySQL? If so, isn't that a big deal? I know lots of places that run things open locally because they're behind a firewall.
So, if you have, say, telnet bound to localhost without a password, you are not safe (modern browser would drop the response as it's not valid HTTP, but with telnet you don't exactly care anyway).
Google Project Zero-discovered flaw allows remote execution by malicious site if remote access in enabled in the client with no password set. This is not uncommon since people assume restricting to localhost will prevent access outside the host machine.