Embarrassed to say that I wasn't aware of this practice. Are there malicious uses for this beyond fingerprinting?

privacyking 3 days ago | parent | next [-]

Yes. Facebook was using this trick on Android. Meta's android apps would host a server on localhost, and their sites would communicate with this local server to pass tracking information that would otherwise be blocked by all browser protection methods on Android. I guess it is still fingerprinting, but at the most extreme end.

https://news.ycombinator.com/item?id=44169115

▲

inferiorhuman 3 days ago | parent | prev | next [-]

Mostly it's great for tracking although I'm sure it could also be used to exfiltrate data (e.g. if the user is running something sensitive on localhost).

https://www.digitalsamba.com/blog/metas-localhost-spyware-ho...

▲

palmfacehn 3 days ago | parent | prev | next [-]

Routers with vulnerable URLs. You can search for: "router" "authentication bypass".

▲

causal 2 days ago | parent [-]

Isn't CORS supposed to prevent this?

	▲	layer8 2 days ago \| parent [-]
		CORS doesn’t prevent requests (i.e. GET requests from IMG tags, or XHR preflight requests), it only prevents web apps from processing the response if the responding server doesn’t agree. And a simple GET or even OPTIONS request can be enough to exploit vulnerabilities in routers and other local devices.

▲

asimovDev 3 days ago | parent | prev [-]

https://files.catbox.moe/g1bejn.png

When I visit the site from Safari on macOS I see this in the console. Are there any particular services that use port 8888 for the website to do this?

	▲	jadamson 3 days ago \| parent [-]
		https://my.f5.com/manage/s/article/K000138794 It seems to be part of some "bot defense" product by these F5 people, to "test the different browser capabilities". I doubt it's intended to hit a real endpoint on any system.