You may not know what HTTP is exactly, but you definitely know that every single website you visit starts with it. Without the Hypertext Transfer Protocol, there'd be no easy way to view all the text, media, and data that you're able to see online. However, all communication between your browser and a website are unencrypted, which means it can be eavesdropped on.
This is where HTTPS comes in, the "S" standing for "Secure." It's an encrypted way to communicate between browser and website so that your data stays safe. While it was used mostly in banking, shopping, and other high-security situations, it's now common for many websites such as Facebook, Google, and even Wikipedia to protect your information with HTTPS. And it's most important when you're browsing the internet on free Wi-Fi hotspots, guest networks, and other non-private access points.
You're in a potentially malicious network (free WiFi, guest network, or maybe your own corporate LAN). You're a security conscious netizen so you restrict yourself to HTTPS (browsing to HSTS sites and/or using a "Force TLS/SSL" browser extension). All your traffic is protected from the first byte. Or is it?
Talking with ArsTechnica, Itzik Kotler of SafeBreach, clarified:
We show that HTTPS cannot provide security when WPAD is enabled. Therefore, a lot of people are actually exposed to this attack when they engage in browsing via non-trusted networks.
What does all this mean exactly, in laymen's terms? What you actually do on those HTTPS sites is still safe from prying eyes, but the full URL that you visit is not. It sounds innocent enough, but if that URL contains a security token, it could allow hackers to gain full control of your account. WPAD is fairly simple for hackers to take advantage of with MitM tools easily available for Metasploit, and has been exploited before in other ways.
This attack can be carried out on Linux, Mac, or Windows systems, but primarily the latter since it is the only one that is enabled by default with Internet Explorer. WPAD is not automatically enabled in Mac OS X or Linux, nor on Safari, Chrome, or Firefox browsers, so you shouldn't have to do anything on your end to protect yourself unless you use Microsoft Windows.
To disable WPAD in Windows, you'll need to make an easy registry edit, as StackExchange user laktak points out:
- Click the Start button, and in the search field, type in "regedit", then select "regedit.exe" from the list of results.
- Navigate through the tree to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad.
- Once you have the "Wpad" folder selected, right click in the right pane, and click on "New -> DWORD (32-Bit Value)".
- Name this new value "WpadOverride".
- Double click the new "WpadOverride" value to edit it.
- In the "Value data" field, replace the "0" with a "1", then click "OK".
- Reboot the computer.
If you're interested in this PAC Malware attack from a hacker's perspective, make sure to check out Itzik Kotler and Amit Klein's presentation at Black Hat 2016, which is scheduled for August 3, 2016 sometime between 4:20 to 5:10 p.m. PST.