Hackers Can Intercept HTTPS URLs via Proxy Attacks

[Belham]

Dang, now they go can after proxy servers??? Nearly every decent-sized, online company/organization in the world deploys proxy servers.

Hackers Can Intercept HTTPS URLs via Proxy Attacks, affects MSFT, Apple & Linux):

http://www.securityweek.com/hackers-can ... xy-attacks



Home › Data Protection
Hackers Can Intercept HTTPS URLs via Proxy Attacks
By Eduard Kovacs on July 29, 2016


PAC attack exposes HTTPS URLs

Proxy Configuration Flaws Expose HTTPS URLs, Allow Hackers to Launch Various Attacks

Researchers have demonstrated how a design flaw affecting most operating systems and web browsers can be exploited to exfiltrate HTTPS URLs and conduct various types of malicious activities.

The attack relies on proxy auto-config (PAC) files, which specify how web browsers and other user agents handle HTTP, HTTPS and FTP traffic. PAC files use a JavaScript function named FindProxyForURL to determine whether URLs are fetched directly or through a proxy server.

The location of this PAC file can be automatically detected by a system via DHCP or DNS using a technology called Web Proxy Auto-Discovery Protocol (WPAD). The feature is enabled by default in Microsoft Windows and Internet Explorer, and it is supported on OS X and Linux operating systems, and the Chrome, Safari and Firefox browsers. WPAD is often used by organizations to ensure that all their systems have the same web proxy configuration.

Researchers at Israel-based security firm SafeBreach discovered that by implementing malicious logic inside the FindProxyForURL function, an attacker can read the URLs accessed by a user, including HTTPS URLs, and exfiltrate them. The attack works on Windows, Mac and Linux systems, and all popular web browsers.

Next week at the Black Hat conference in Las Vegas, Itzik Kotler, CTO and co-founder of SafeBreach, and Amit Klein, the company’s VP of security research, will share details on the vulnerability and release proof-of-concept (PoC) malware that leverages this attack method. It’s worth noting that PAC files have also been leveraged by malware in the wild, such as the BlackMoon Trojan, which has affected more than 100,000 users in South Korea.

Kotler and Klein told SecurityWeek in an interview that there are two ways to mount an attack. A piece of malware that has access to the targeted system can drop a static “proxy.pac

[learnhow2code]

the bypassing https really doesnt sound like a new thing, but the bypassing vpn part is freaking scary (and how the ____ is that even possible?)