Chrome is testing protection against attacks on users' home networks

Google engineers have introduced a novel security measure in Chrome, called Private Network Access, designed to identify websites that probe users’ local networks. This feature is set to debut in Chrome 123, slated for release in March 2024.

The primary goal of this addition is to safeguard user devices such as printers and routers from potential cyber threats. Google’s team highlights that local network devices are often perceived as secure due to their isolation from direct internet connections and placement behind routers.

The core objective is to shield users’ internal networks from hostile sites that target vulnerable devices and servers. This is particularly crucial as an increasing number of devices rely on web interfaces that lack robust security measures. Google’s developers initiated this project in 2021 to block harmful requests from external sites to resources within private networks, including localhost and private IP addresses.

Initially, Private Network Access is expected to function in a “warning-only” mode. It will monitor and alert users when a public site (referred to as “Site A”) attempts to direct the browser to another site (“Site B”) within the user’s private network. The primary focus of these checks will be on CORS-preflight requests.

Google provides an example where an HTML iframe is used in a CSRF attack to alter the DNS settings of a router on a local network, illustrating the potential risks this feature aims to mitigate.

<iframe href="https://admin:admin@router.local/set_dns?server1=123.123.123.123">

Google Chrome is enhancing security with a new mechanism to protect internal devices from unauthorized access by public sites. When Chrome detects an attempt to connect to an internal device, it initiates a preflight request. If there’s no response, the connection is blocked to safeguard the internal network. However, if the internal device responds, it can authorize the request using the Access-Control-Request-Private-Network header, ensuring that only permitted connections are allowed.
Initially, this security feature will operate in a warning-only mode. Even if the preflight checks fail, the requests won’t be blocked outright. Instead, developers will be alerted through a warning in the DevTools console, allowing them to address any issues without immediate disruption.
Google also highlights a potential loophole where blocked requests might still proceed through automatic reloading. To counter this, they recommend disabling auto-reload for pages previously blocked by the Private Network Access feature. In such cases, users will be prompted with an error message, advising them to manually reload the page to resolve the request.

Chrome is testing protection against attacks on users' home networks
0 / 5

Your page rank:


Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment