HTTPS and VPN can’t protect from WPAD’s vulnerability

Last updated: October 10, 2016

HTTPS and VPN can’t protect from WPAD’s vulnerabilityWeb Proxy Auto-Discovery Protocol (WPAD) is a special method used by users for locating the URL of a configuration file with the help of DHCP and/or DNS. Making a query the browser uses the feature FindProxyForURL from PAC file where URL and host are sent to. The reply is the proxy used for changing over to the other address.

WPAD is enabled by default on Windows. Besides, it is supported by other operating systems. But according to the infosecurity experts Alex Chapman and Paul Stone, this protocol is undergone vulnerabilities using which hackers can get the user’s data including search history, access to the account, photos. In this case man-in-the-middle attack is used.

The configuration Pac file layout can be defined using Link-Local Multicast Name Resolution (LLMNR), Domain Name System (DNS) or Dynamic Host Configuration Protocol (DHCP). Cybercriminals can use the WPAD’s vulnerability indicating the special configured file layout that makes query over proxy servers controlled by hackers. It may become possible using public Wi-Fi.

The other way is to create proxy server that can intercept and alter unencrypted HTTP traffic. Since hackers created script that allows getting all the encrypted HTTPS URL on your own server.

The whole address HTTPS URL should be hidden as it contains private data. But attackers can restore the address. For example, example.com/login?authtoken=ABC1234 can be restored using DNS query https.example.com.login.authtoken.ABC1234.leak and found on the attacker’s server.

One more type of cyberattack is redirection of the user to fake page. Many wireless networks gather the information about the users with the help of special pages. After entering the data the user has access to the network.

The page created by hackers downloads Facebook or Google and then redirects 302 HTTP to other URL if the user has verified the identity. In consequences, the hacker may get credentials of the user.

The same situation is currently central for VPN users. Popular VPN clients do not delete the settings provided by WPAD. It means if the hacker has managed to customize proxy settings before VPN connection, traffic will pass though proxy server of the hacker. It allows getting all the private data.

 

How to protect yourself?

The easiest way is to turn off WPAD. If you need PAC files for your work, make WPAD disabled and configure URL by yourself.