The researchers also devised another attack where they use the rogue proxy to redirect the user to a fake captive portal page, like those used by many wireless networks to collect information about users before allowing them on the Internet.
Their fake captive portal forces browsers to load common websites like Facebook or Google in the background and then performs a 302 HTTP redirect to URLs that can only be accessed after the user authenticates. If the user is already authenticated -- and most people have authenticated sessions in their browsers -- the attackers will be able to gather information from their accounts.
This attack can expose the victims' account names on various websites, including private photos from their accounts that can be accessed via direct links. For example, people's private photos on Facebook are actually hosted on the site's content delivery network and can be accessed directly by other users if they know the full URL to their location on the CDN.
Furthermore, attackers can steal authentication tokens for the popular OAuth protocol, which allows users to log into third-party websites with their Facebook, Google, or Twitter accounts. By using the rogue proxy, 302 redirects, and the browser's page pre-rendering functionality, they can hijack social media accounts and in some cases gain full access to them.
In a demo, the researchers showed how they could steal photos, location history, email summaries, reminders, and contact details for a Google account, as well as all documents hosted by that user in Google Drive.
It's worth stressing that these attacks do not break the HTTPS encryption in any way, but rather work around it and take advantage of how the web and browsers work. They show that if WPAD is turned on, HTTPS is much less effective at protecting sensitive information than previously believed.
But what about people who use virtual private networks (VPNs) to encrypt their entire Internet traffic when they connect to a public or untrusted network? Apparently, WPAD breaks those connections, too.
The two researchers showed that some widely used VPN clients, like OpenVPN, do not clear the Internet proxy settings set via WPAD. This means that if attackers have already managed to poison a computer's proxy settings through a malicious PAC before that computer connects to a VPN, its traffic will still be routed through the malicious proxy after going through the VPN. This enables all of the attacks mentioned above.
Most operating systems and browsers had vulnerable WPAD implementations when the researchers discovered these issues earlier this year, but only Windows had WPAD enabled by default.
Since then, patches have been released for OS X, iOS, Apple TV, Android, and Google Chrome. Microsoft and Mozilla were still working on patches as of Sunday.
Sign up for CIO Asia eNewsletters.