Light Dark
August 18, 2016 By Larry Loeb 2 min read

Many enterprises connect to the internet through a proxy server as a standard practice. But security researcher Jerry Decime recently discovered a man-in-the-middle (MitM) attack that exploits proxy use.

He gave the exploit a snazzy name, FalseCONNECT, and got a CVE tracking number for it. But what is this software vulnerability all about?

Bad Connection

Decime demonstrated a flaw in how applications from major vendors (excluding Lenovo) respond to HTTP CONNECT requests via HTTP/1.0 407 Proxy Authentication Required responses. The major vendors affected by this flaw include Apple, Microsoft, Oracle and Opera. Other vendors are still in the process of evaluating the situation as it pertains to them.

The vulnerability note summarized the inner workings of the issue rather nicely, if densely. An attacker with the ability to modify proxy traffic, it explained, may phish for credentials by forcing the use of 407 Proxy Authentication Required responses.

“WebKit-based clients,” the note said, “are vulnerable to additional vectors due to the fact that HTML markup and JavaScript are rendered by the client Document Object Model (DOM) in the context of the originally requested HTTPS domain.”

In other words, there is a problem with the CONNECT request that affects everyone, and there are also additional problems, such as arbitrary HTML and JavaScript injection, for WebKit-based clients.

An Impractical Software Vulnerability

The attacker must be able to modify proxy traffic to carry out this exploit. That requires extensive preparation as well as decent execution skills. An unskilled cybercriminal looking for a quick buck is unlikely to use this type of attack.

Decime also noted that Apple fixed the HTTPS middling flaw in iOS and OS X well within the 45-day disclosure window established by CERT. Other vendors may still have to determine if they are affected and how to remediate any problems.

While it’s important to be aware of this vulnerability, but it’s relatively ineffective if the endpoints and infrastructure of the network have been secured. If solutions such as IDS or IPS exists solely on the network’s exit nodes, however, they may miss issues affecting users on local subnets. Nothing is perfect in security.

While this is a relatively shallow flaw in a trusted and widely used solution, it should remind us to continue to look for new ways to address old problems.

 |  |  |  |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

March 26, 2025

We are moving!

< 1 min read - SecurityIntelligence.com is being sunset, but have no fear!We have a new home for all of your favorite security and X-Force content.Follow us to www.ibm.com/think to maintain access to the stories and news you love, both new and old.Security Intelligence will officially sunset on Friday, March 28, 2025. To access the latest security thought leadership, go here. To access the latest X-Force research, go here.If you are experiencing cybersecurity issues or an incident, contact X-Force® to help:US hotline: 1-888-241-9812 | Global hotline:…

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

10 min read - Windows Defender Application Control (WDAC) is a security solution that restricts execution to trusted software. Since it is classified as a security boundary, Microsoft offers bug bounty payouts for qualifying bypasses, making it an active and competitive field of research.Typical outcomes of a WDAC bypass bug bounty submission:Bypass is fixed; possible bounty awardedBypass is not fixed but instead "mitigated" by being added to the WDAC recommended block list. Likely no bounty awarded but honorable mention is typically givenBypass is not…

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature