Another day, another way for cybercriminals to snoop out URL data — and even compromise HTTPS protections. The culprit this time: WPAD, or the Web Proxy AutoDiscovery protocol.
While this isn’t the protocol’s first problem, many companies still use it to easily broadcast proxy information across a network. If compromised, businesses may inadvertently leak entire URL paths, even for HTTPS websites. How do organizations avoid a URL flood?
PACs of Problems
As noted by Softpedia, the current problem with WPAD stems from proxy configurations called PAC files, or proxy auto-configs, which are used to automatically set up browser access to the web while still allowing companies to monitor and manage internet access. But if WPAD servers use HTTP rather than HTTPS servers to transmit these PAC files, it’s possible for malicious actors to snoop on configuration details or inject their own malicious version of PACs onto corporate networks.
Then, these bad PACs direct browsers to a compromised proxy that lets cybercriminals follow the entire URL path taken. Instead of simply grabbing the domain name portion of URLs, this PAC attack lets actors see the complete URL, which could include anything from innocuous web content to password reset pages.
That’s not all: According to Threatpost, there’s no visual indication that users have been compromised. URL bars still show they’re protected by HTTPS.
Protocol Redesign
The most likely attack vector is across an insecure wireless network using decoy servers to quickly respond when browsers request a PAC file via WPAD. Because of the conflict inherent that occurs when low-trust JavaScript can be easily executed in high-trust HTTPS environments, researchers are calling for a protocol redesign to limit the attack surface and expose less information.
So far, Apple and Google have responded to the request for improved protocols and PACs, but Microsoft has not. To stay safe, users are advised to disable the automatically detect settings option under LAN settings.
More WPAD Worries
As noted by Naked Security, fake PACs aren’t the only problems plaguing this web proxy protocol. Researchers at the University of Michigan recently discovered a vulnerability that manifests when browsers using the protocol can’t find the right PAC file on local networks. If the browser is on an unknown network, for example, it may escalate queries to public DNS servers and give attackers an easy way inside.
Recent changes to the global top-level domain (gTLD) have also impacted WPAD security. Until 2012, companies could use fake domain names for internal purposes — such as .office, .network or .group — and they couldn’t be purchased or used outside local networks. Now, more than 700 new gTLDs have been approved. Not only do they work beyond business borders, but they can be purchased by anyone, making previously safe domains potentially insecure.
WPAD is an easy way to grab proxy information and get browsers online. When it comes to security, however, this protocol doesn’t make the grade. New PAC problems may push a flood of URL issues onto corporate browsers.