Attackers can collect your HTTPS Web traffic history. Alex Chapman and Paul Stone from Context, a UK cyber security consultancy firm, have discovered a new attack method using the WPAD protocol and PAC files to leak information about the HTTPS sites a user is visiting.
Their discovery is yet another drop in the lake of exploits that use the widely insecure WPAD protocol.
WPAD stands for Web Proxy Auto-Discovery and is a protocol used to broadcast proxy configurations across a network. This “broadcasting” operation is done using proxy configurations called PAC files, or proxy auto-configs, which browsers or other Internet-connecting apps receives before being routed to their destination.
Attack leaks full URL path for HTTPS websites
Chapman and Stone say that an attacker already on a compromised network can sniff for transiting PAC files and inject their content with malicious code. This is possible when WPAD servers use HTTP instead of HTTPS for transmitting proxy configuration files.
The researchers say that one of the available PAC functions allows an attacker to leak the full URL of an HTTPS site he might be accessing. Normally, when someone tries to sniff HTTPS traffic, he usually sees only the https://domain-name.com part of the URL.
Their attack allows a malicious intruder to sniff on the complete URL, such as https://domain-name.com/page/about/something.html.
The attack may not be as destructive as BadTunnel or Hot Potato, but it is a simple way to collect Web traffic history from a target by breaking the protection provided by HTTPS traffic.
Apple and Google fixed issue, Microsoft didn’t
The issue affects all operating systems, since all support WPAD and PAC files. The researchers have notified all appropriate vendors and some of them have issued patches for their products that fix the way WPAD and PAC files work. This includes Apple for iOS and OS X, and Google for Android and Chrome.
On Windows, the two researchers recommend that users either turn WPAD support off if not used on their network, usually needed only on corporate networks with powerful firewalls.
Windows users on networks where WPAD and PAC are deployed should disable the default “Automatically detect settings” option in the LAN settings section of Internet Properties.