Another day, another way for cybercriminals to snoop out URL data — and even compromise HTTPS protections. The culprit this time: WPAD, or the Web Proxy AutoDiscovery protocol.

While this isn’t the protocol’s first problem, many companies still use it to easily broadcast proxy information across a network. If compromised, businesses may inadvertently leak entire URL paths, even for HTTPS websites. How do organizations avoid a URL flood?

PACs of Problems

As noted by Softpedia, the current problem with WPAD stems from proxy configurations called PAC files, or proxy auto-configs, which are used to automatically set up browser access to the web while still allowing companies to monitor and manage internet access. But if WPAD servers use HTTP rather than HTTPS servers to transmit these PAC files, it’s possible for malicious actors to snoop on configuration details or inject their own malicious version of PACs onto corporate networks.

Then, these bad PACs direct browsers to a compromised proxy that lets cybercriminals follow the entire URL path taken. Instead of simply grabbing the domain name portion of URLs, this PAC attack lets actors see the complete URL, which could include anything from innocuous web content to password reset pages.

That’s not all: According to Threatpost, there’s no visual indication that users have been compromised. URL bars still show they’re protected by HTTPS.

Protocol Redesign

The most likely attack vector is across an insecure wireless network using decoy servers to quickly respond when browsers request a PAC file via WPAD. Because of the conflict inherent that occurs when low-trust JavaScript can be easily executed in high-trust HTTPS environments, researchers are calling for a protocol redesign to limit the attack surface and expose less information.

So far, Apple and Google have responded to the request for improved protocols and PACs, but Microsoft has not. To stay safe, users are advised to disable the automatically detect settings option under LAN settings.

More WPAD Worries

As noted by Naked Security, fake PACs aren’t the only problems plaguing this web proxy protocol. Researchers at the University of Michigan recently discovered a vulnerability that manifests when browsers using the protocol can’t find the right PAC file on local networks. If the browser is on an unknown network, for example, it may escalate queries to public DNS servers and give attackers an easy way inside.

Recent changes to the global top-level domain (gTLD) have also impacted WPAD security. Until 2012, companies could use fake domain names for internal purposes — such as .office, .network or .group — and they couldn’t be purchased or used outside local networks. Now, more than 700 new gTLDs have been approved. Not only do they work beyond business borders, but they can be purchased by anyone, making previously safe domains potentially insecure.

WPAD is an easy way to grab proxy information and get browsers online. When it comes to security, however, this protocol doesn’t make the grade. New PAC problems may push a flood of URL issues onto corporate browsers.

More from

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

What CISOs Should Know About CIRCIA Incident Reporting

In March of 2022, a new federal law was adopted: the Cyber Incident Reporting Critical Infrastructure Act (CIRCIA). This new legislation focuses on reporting requirements related to cybersecurity incidents and ransomware payments. The key takeaway: covered entities in critical infrastructure will now be required to report incidents and payments within specified time frames to the Cybersecurity and Infrastructure Security Agency (CISA). These new requirements will change how CISOs handle cyber incidents for the foreseeable future. As a result, CISOs must…

Will the 2.5M Records Breach Impact Student Loan Relief?

Over 2.5 million student loan accounts were breached in the summer of 2022, according to a recent Maine Attorney General data breach notification. The target of the breach was Nelnet Servicing, a servicing system and web portal provider for the Oklahoma Student Loan Authority (OSLA) and EdFinancial. An investigation determined that intruders accessed student loan account registration information between June and July 2022. The stolen data includes names, addresses, emails, phone numbers and social security numbers for 2,501,324 student loan…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…