The Web Proxy Auto-Discovery Protocol (WPAD), enabled by default on Windows and supported by other operating systems, can expose computer users' online accounts, web searches, and other private data, security researchers warn.
Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections, said Alex Chapman and Paul Stone, researchers with U.K.-based Context Information Security, during the DEF CON security conference this week.
The location of PAC files can be discovered through WPAD in several ways: through a special Dynamic Host Configuration Protocol (DHCP) option, through local Domain Name System (DNS) lookups, or through Link-Local Multicast Name Resolution (LLMNR).
Attackers can abuse these options to supply computers on a local network with a PAC file that specifies a rogue web proxy under their control. This can be done on an open wireless network or if the attackers compromise a router or access point.
Compromising the computer's original network is optional because computers will still try to use WPAD for proxy discovery when they're taken outside and are connected to other networks, like public wireless hotspots. And even though WPAD is mostly used in corporate environments, it is enabled by default on all Windows computers, even those running home editions.
On Windows, WPAD is used when the "automatically detect settings" option is checked in this configuration panel.
A rogue web proxy would allow attackers to intercept and modify non-encrypted HTTP traffic, which wouldn't normally be a big deal because most major websites today use HTTPS (HTTP Secure).
However, because PAC files allow defining different proxies for particular URLs and can also force DNS lookup for those URLs, Chapman and Stone created a script that leaks all HTTPS URLs via DNS lookups to a rogue server they control.
The full HTTPS URLs are supposed to be hidden because they can contain authentication tokens and other sensitive data as parameters. For example, the URL https://example.com/login?authtoken=ABC1234 could be leaked through a DNS request for https.example.com.login.authtoken.ABC1234.leak and reconstructed on the attacker's server.
The researchers showed that by using this PAC-based HTTPS URL leak method, attackers can steal Google search terms or see what articles the user has viewed on Wikipedia. That's bad enough from a privacy perspective, but the risks introduced by WPAD and rogue PAC files don't end there.
Sign up for CIO Asia eNewsletters.