Using LocalHost in Production

This week, there was a revelation that the Zoom teleconferencing software runs a localhost server on customer’s machines – and this localhost serve can be used to maliciously add your machine to conference calls (with the video active) by malicious websites.

About 2 years ago, I looked into how may websites make requests to localhost when the page loads.  Let’s revisit the data to see how things have changed.  I’ll use the HTTP Archive to look 5M webpages for references to localhost or 127.0.0.1:

select

requests.url request, requests.status, requests.respsize
from httparchive.summary_requests.2019_06_01_mobile requests

where requests.url like “%//localhost%” OR requests.url like “%//127.0.0.1%”

There are a lot of pages that have a directory called localhost, so I force the search to only look for “//localhost” to remove these from the results.

Referencing Localhost

In the June crawl of 5M mobile websites there are 37,712 references to Localhost.

37,000 are coming from just one website:

Screen Shot 2019-07-11 at 3.24.00 PM

The referrer is “InstallVestCert.html”, implying that this is attempting to load a certificate, and the file is appended with a random number between 0 and 1.  As the page never stops loading, the HTTPArchive instance recording has ~37k failures before it errors out.  The request is made to https://127.0.0.1:15018, which is a pretty funky port.

After this outlier, the remaining ports all appear to be regular HTTP ports often used in building sites locally (as I saw a year ago):

Screen Shot 2019-07-11 at 3.48.34 PM

In general, requests to localhost (at least on root homepages) appear to be innocuous errors that can be easily fixed by resolving to the correct domain.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.