4 comments

[ 6.5 ms ] story [ 19.2 ms ] thread
Apologies if I read this wrong, but it appears they actually found another way to exploit the _existing_ vuln, not a new one.

Just checking my understanding.

That is how I understood it also.

The new part of their discovery is that visiting a malicious website can run the attack on servers in the private network via a JavaScript application and websockets.

That means even applications which are not exposed to the internet can be attacked.

still confused why browsers allow private network access from non-private domains
The world would be a much better place if we put a lot more outbound network rules in.