Poison Proxy-Bypass HTTPS and VPN

Poison Proxy-Bypass HTTPS and VPN to Hacking Yur Online Identity

Researchers have proved that the proxy setting vulnerability exposes HTTPS URLs, and hackers can launch attacks wantonly. This vulnerability affects most operating systems and web browsers and can be used to leak HTTPS URLs and conduct various malicious activities.

The attack relies on proxy automatic configuration (PAC) files, which are files that specify how web browsers and other user agents handle HTTP, HTTPS, and FTP traffic. The PAC file uses a JavaScript function named FindProxyForURL to determine whether the URL is obtained directly or through a proxy server.

The location of the PAC file can be automatically detected by the system using the Web Proxy Automatic Discovery (WPAD) protocol through DHCP or DNS. Microsoft Windows system and IE browser enable this function by default, and OS X and Linux operating systems, as well as Chrome, Safari, and Firefox browsers also support it. WPAD is often used by companies to ensure that all their systems have a unified Web proxy configuration.

Researchers from the Israeli security company SafeBreach found that by implementing malicious logic inside the FindProxyForURL function, an attacker can read the URLs that users visit, including HTTPS URLs, and then leak them.

At the Black Hat Conference in Las Vegas next week, SafeBreach’s chief technology officer and co-founder Itzik Kotler, and the company’s vice president of security research, Amit Klein, will share information about the Details of the vulnerability and release of proof-of-concept malware that exploits the attack method. It is worth pointing out that PAC files are also used by much malicious software, such as the “Black Moon” Trojan that affects 100,000 users in South Korea.


Kotler and Klein said in the interview that there are two ways to launch an attack. One is to put a static “proxy.pac” file into it through malicious software that can access the target system, and configure the infected computer to use the file.

The second method involves WPAD. If the victim device is configured to use this protocol, the attacker can use a man-in-the-middle attack to hijack WPAD-related communications to ensure that malicious PAC resources are used by the browser. This attack method is ideal when the attacker has access to a local area network or an open WiFi connection, such as those available in public places (cafes, hotels, airports, etc.).

Once the attacker configures the system to use their malicious proxy, they can intercept all URLs visited by the victim and lead them to the machine controlled by the attacker.

The root of the problem is that low-trust code (such as JavaScript) can be downloaded and executed in such an environment (HTTPS traffic-high-trust) without any certificates, digital signatures, or protective measures.

HTTPS URLs can be intercepted by attackers, bringing serious security and privacy risks. Researchers pointed out that malicious actors can not only obtain sensitive information (such as search terms) that can be found directly from the URL, but also the URL that the user visits when the user resets the account password. If the attacker succeeds in resetting the password before the legitimate user, they can lock the victim user out of the account.

Another problem is related to document sharing. Corporate users usually share sensitive information through links generated by file or document sharing services. Once these URLs are obtained, hackers can easily read the information.

This attack method opens a two-way communication channel-the attacker can not only leak data but also send data like the victim. Attacks such as Distributed Denial of Service (DDoS) can be launched in this way.

As long as a botnet infected with PAC malware is established, launching a DDoS attack is easy. They can specify the IP address and port of the target website, allowing all infected devices to initiate access to the target website when the user wants to access an online resource. The hacker can guarantee that the victim is taken to the site they are trying to access to avoid suspicion, but that must be after the access request is sent to the target site to cause overload.

Threat actors can of course also lead to local DoS conditions. The attacker can configure the PAC to use an invalid proxy when the user wants to access a specific online service (such as browsing the web or updating anti-virus software). By specifying a non-existent proxy address, the attacker successfully prevented the user from obtaining the service.

The problem not only affects the browser-any application that relies on proxy configuration will be affected, such as the anti-software update mentioned above-this is not necessarily the case of using a web browser.

In some cases, the vulnerability can also be used for phishing. Some web browsers, such as Internet Explorer, support JavaScript’s alert() function to return the values ​​of PAC variables and functions. The Alert() function will open a basic dialog window on the visited website page, allowing the threat actor to display the abducting user to visit the phishing URL, or be tricked when the user tries to visit a specific site (such as a bank, payment service, etc.) Information to call fraudulent calls.

Although the root of the problem lies in WPAD/PAC security design flaws, every browser, and operating system manufacturer can also take measures to reduce the exposure of potential attacks.

Security company Context Information Security also independently conducted similar research and notified affected vendors. The company said that Apple resolved the issues in OS X and iOS in May, while Google patched Chrome and Android in July.

On DEF CON, Context Information Security will reveal its findings in a show titled “Poison Proxy-Bypassing HTTPS and VPN to Hack Your Online Identity”.

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?