New attack bypasses HTTPS protection on Macs, Windows, and Linux ¬

2016-07-29

Dan Goodin writing for Ars Technica regarding a web browser proxy protocol issue that can expose full URLs of webpages you’re browsing, even over HTTPS:

The attack can be carried out by operators of just about any type of network, including public Wi-Fi networks, which arguably are the places where Web surfers need HTTPS the most. It works by abusing a feature known as WPAD (short for Web Proxy Autodisovery) in a way that exposes certain browser requests to attacker-controlled code. The attacker then gets to see the entire URL of every site the target visits. The exploit works against virtually all browsers and operating systems. It will be demonstrated for the first time at next week’s Black Hat security conference in Las Vegas in a talk titled Crippling HTTPS with Unholy PAC.

[…]

With the exception of the full URL, all other HTTPs traffic remains unaffected by the attack. Still, in some cases, disclosure of the URL can prove fatal for security. The OpenID standard, for instance, uses URLs to authenticate users to the sites and services that support it. Another example is document sharing services, such as those offered by Google and Dropbox, that work by sending a user a security token that’s included in the URL. Many password-reset mechanisms similarly rely on URL-based security tokens. Attackers who obtain such URLs in any of these cases are often able to gain full access to a target’s account or data.

Good to be aware of and yet another reason to be especially careful when using public WiFi. Fortunately, web browsers could mitigate this:

Still, browsers can largely work around the vulnerability by following the lead of Microsoft’s Edge and Internet Explorer 11 browsers, which invoke the FindProxyForUrl function with URLs that are truncated to host names only, as opposed to full URLs, which may contain authentication tokens or credentials.

Commenting is closed for this article.