Attack allows malicious parties to view full URLs despite https

Researchers Itzik Kotler and Amit Klein have developed an attack that reveals complete URLs visited by the victim. This attack can, for example, be carried out via a Wi-Fi network and works despite using a secure https connection.

Ars Technica has received an email from the investigators providing details about the attack ahead of their scheduled presentation at the BlackHat conference. This shows that the basis for this method is the Web Proxy Autodiscovery protocol, or wpad. If this feature is enabled, an attacker could cause the victim’s browser to obtain a pac file through a malicious dhcp response, for example over a Wi-Fi network. This file specifies which url types a particular proxy should use, according to Ars Technica.

The request to visit a certain URL is first processed by this pac code, before a secure https connection can be established. This allows the attacker to see the victim’s visited URL. This is problematic because many URLs contain an access token, for example to reset a password or access a file on a server. Another way to perform this attack is to have an infected system use a certain proxy via malware.

The attack, called ‘Unholy PAC’, works on almost all operating systems and browsers, the researchers say. One way to counteract this is by disabling wpad, although this can cause problems in some cases. The Microsoft Edge and IE11 browsers are less vulnerable, as they expose only the hostname rather than full URLs. Further details about the attack will be released following the BlackHat presentation.

Update, 13:55 Tweaker Kinine has published a proof-of-concept of such an attack on GitHub, including a video demonstration.

Images via Ars Technica