Disable WPAD now or have your accounts and private data compromised

The Web Proxy Auto-Discovery Protocol (WPAD), enabled by default on Windows and supported by other operating systems, can expose computer users’ online accounts, web searches, and other private data, security researchers warn.

Man-in-the-middle attackers can abuse the WPAD protocol to hijack people’s online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections, said Alex Chapman and Paul Stone, researchers with U.K.-based Context Information Security, during the DEF CON security conference this week.

WPAD is a protocol, developed in 1999 by people from Microsoft and other technology companies, that allows computers to automatically discover which web proxy they should use. The proxy is defined in a JavaScript file called a proxy auto-config (PAC) file.

The location of PAC files can be discovered through WPAD in several ways: through a special Dynamic Host Configuration Protocol (DHCP) option, through local Domain Name System (DNS) lookups, or through Link-Local Multicast Name Resolution (LLMNR).

Attackers can abuse these options to supply computers on a local network with a PAC file that specifies a rogue web proxy under their control. This can be done on an open wireless network or if the attackers compromise a router or access point.

Compromising the computer’s original network is optional because computers will still try to use WPAD for proxy discovery when they’re taken outside and are connected to other networks, like public wireless hotspots. And even though WPAD is mostly used in corporate environments, it is enabled by default on all Windows computers, even those running home editions.

Lucian Constantin

A rogue web proxy would allow attackers to intercept and modify non-encrypted HTTP traffic, which wouldn’t normally be a big deal because most major websites today use HTTPS (HTTP Secure).

However, because PAC files allow defining different proxies for particular URLs and can also force DNS lookup for those URLs, Chapman and Stone created a script that leaks all HTTPS URLs via DNS lookups to a rogue server they control.

The full HTTPS URLs are supposed to be hidden because they can contain authentication tokens and other sensitive data as parameters. For example, the URL https://example.com/login?authtoken=ABC1234 could be leaked through a DNS request for https.example.com.login.authtoken.ABC1234.leak and reconstructed on the attacker’s server.

The researchers showed that by using this PAC-based HTTPS URL leak method, attackers can steal Google search terms or see what articles the user has viewed on Wikipedia. That’s bad enough from a privacy perspective, but the risks introduced by WPAD and rogue PAC files don’t end there.

The researchers also devised another attack where they use the rogue proxy to redirect the user to a fake captive portal page, like those used by many wireless networks to collect information about users before allowing them on the Internet.

Their fake captive portal forces browsers to load common websites like Facebook or Google in the background and then performs a 302 HTTP redirect to URLs that can only be accessed after the user authenticates. If the user is already authenticated — and most people have authenticated sessions in their browsers — the attackers will be able to gather information from their accounts.

This attack can expose the victims’ account names on various websites, including private photos from their accounts that can be accessed via direct links. For example, people’s private photos on Facebook are actually hosted on the site’s content delivery network and can be accessed directly by other users if they know the full URL to their location on the CDN.

Furthermore, attackers can steal authentication tokens for the popular OAuth protocol, which allows users to log into third-party websites with their Facebook, Google, or Twitter accounts. By using the rogue proxy, 302 redirects, and the browser’s page pre-rendering functionality, they can hijack social media accounts and in some cases gain full access to them.

In a demo, the researchers showed how they could steal photos, location history, email summaries, reminders, and contact details for a Google account, as well as all documents hosted by that user in Google Drive.

It’s worth stressing that these attacks do not break the HTTPS encryption in any way, but rather work around it and take advantage of how the web and browsers work. They show that if WPAD is turned on, HTTPS is much less effective at protecting sensitive information than previously believed.

But what about people who use virtual private networks (VPNs) to encrypt their entire Internet traffic when they connect to a public or untrusted network? Apparently, WPAD breaks those connections, too.

The two researchers showed that some widely used VPN clients, like OpenVPN, do not clear the Internet proxy settings set via WPAD. This means that if attackers have already managed to poison a computer’s proxy settings through a malicious PAC before that computer connects to a VPN, its traffic will still be routed through the malicious proxy after going through the VPN. This enables all of the attacks mentioned above.

Most operating systems and browsers had vulnerable WPAD implementations when the researchers discovered these issues earlier this year, but only Windows had WPAD enabled by default.

Since then, patches have been released for OS X, iOS, Apple TV, Android, and Google Chrome. Microsoft and Mozilla were still working on patches as of Sunday.

The researchers recommended computer users disable the protocol. “No seriously, turn off WPAD!” one of their presentation slides said. “If you still need to use PAC files, turn off WPAD and configure an explicit URL for your PAC script; and serve it over HTTPS or from a local file.”

Chapman and Stone were not the only researchers to highlight security risks with WPAD. A few days before their presentation, two other researchers named Itzik Kotler and Amit Klein independently showed the same HTTPS URL leak via malicious PACs in a presentation at the Black Hat security conference. A third researcher, Maxim Goncharov, held a separate Black Hat talk about WPAD security risks, entitled BadWPAD.

In May, researchers from Verisign and the University of Michigan showed that tens of millions of WPAD requests leak out onto the Internet every single day when laptops are taken outside of enterprise networks. Those computers are looking for internal WPAD domains that end in extensions like .global, .ads, .group, .network, .dev, .office, .prod, .hsbc, .win, .world, .wan, .sap, and .site.

The problem is that some these domain extensions have become public generic TLDs and can be registered on the Internet. This can potentially allow attackers to hijack WPAD requests and push rogue PAC files to computers even if they’re not on the same network with them.