The researchers recommended computer users disable the protocol. "No seriously, turn off WPAD!" one of their presentation slides said. "If you still need to use PAC files, turn off WPAD and configure an explicit URL for your PAC script; and serve it over HTTPS or from a local file."
Chapman and Stone were not the only researchers to highlight security risks with WPAD. A few days before their presentation, two other researchers named Itzik Kotler and Amit Klein independently showed the same HTTPS URL leak via malicious PACs in a presentation at the Black Hat security conference. A third researcher, Maxim Goncharov, held a separate Black Hat talk about WPAD security risks, entitled BadWPAD.
In May, researchers from Verisign and the University of Michigan showed that tens of millions of WPAD requests leak out onto the Internet every single day when laptops are taken outside of enterprise networks. Those computers are looking for internal WPAD domains that end in extensions like .global, .ads, .group, .network, .dev, .office, .prod, .hsbc, .win, .world, .wan, .sap, and .site.
The problem is that some these domain extensions have become public generic TLDs and can be registered on the Internet. This can potentially allow attackers to hijack WPAD requests and push rogue PAC files to computers even if they're not on the same network with them.
Sign up for CIO Asia eNewsletters.