Disable WPAD Now or Have Your Accounts Compromised, Researchers Warn

It's enabled by default on Windows (and supported by other operating systems) -- but now security researchers are warning that "Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections," according to CSO. Slashdot reader itwbennett writes: Their advice: disable WPAD now. "No seriously, turn off WPAD!" one of their presentation slides said. "If you still need to use PAC files, turn off WPAD and configure an explicit URL for your PAC script; and serve it over HTTPS or from a local file"... A few days before their presentation, two other researchers named Itzik Kotler and Amit Klein independently showed the same HTTPS URL leak via malicious PACs in a presentation at the Black Hat security conference. A third researcher, Maxim Goncharov, held a separate Black Hat talk about WPAD security risks, entitled BadWPAD.

No How To??

[zenlessyank]

To prevent Windows from tracking which network support WPAD, you need to make a simple registry change:

        Click the Start button, and in the search field, type in "regedit", then select "regedit.exe" from the list of results
        Navigate through the tree to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad"
        Once you have the "Wpad" folder selected, right click in the right pane, and click on "New -> DWORD (32-Bit Value)"
        Name this new value "WpadOverride"
        Double click the new "WpadOverride" value to edit it
        In the "Value data" field, replace the "0" with a "1", then click "OK"
        Reboot the computer

Re:No How To??

[drinkypoo]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadOverride"=dword:00000001

Re:No How To??

[wwphx]

Thank you. I was a little stunned that there was no info in the TFA to disable it.

Re: No How To??

You don't need to mess around in the registry and reboot.

All you have to do is go into Internet Options (control panel) > Connections > LAN Settings

Uncheck the top box labeled Automatically detect settings.

There are GPOs for this as well. And this is not anything close to news. Most companies already disable this in Group Policy because it barely works and is obviously horrifically insecure to anyone that even starts to look into how it works.

Re:No How To??

Yeah I googled the same thing. So the questions are, why tf is this a registry change instead of a control panel click? Why tf is this current user instead of all users? Why tf doesn't MS patch it instead of relying on millions of users to do it individually?

Re:No How To??

Also from what I can tell this is a local network attack.

So if you never take your computer of your home network dont panic too much.

If you plug your computer into remote networks (your local bistro, etc) this could be an issue.

This sort of attack has been known for awhile with pac files. I was considering setting up this very thing on my home network. But I quickly figured out it was an easy way for someone to inject javascript into every web page I am on. Pac files have pretty much full control of every web page loaded. So I am stuck with manual config for proxy setup :( Which is a pain because I want to re-ip my whole network.

Re: No How To??

I assume by "barely works" you mean works great, right? Because it does - work great that is. We've used it for at least 18 years with great success. Autodiscover is really the only way that web browsing with corporate machines works well because if you have to hard code the proxy or proxy script the browsers take forever to figure out that they don't need a proxy on other networks. To remediate the risks, you can simply require that your users always use VPN back to corpnet and don't browse the web on untrusted networks such as hotels, airports, coffee shops and the like.

Re: No How To??

[ColdWetDog]

To remediate the risks, you can simply require that your users always use VPN back to corpnet and don't browse the web on untrusted networks such as hotels, airports, coffee shops and the like.

'Don't use untrusted networks' Giggle. Snort. Cough.

Re:No How To??

[Ol+Olsoc]

To prevent Windows from tracking which network support WPAD, you need to make a simple registry change:

That's the method that Grandma uses.

Re: No How To??

[Ol+Olsoc]

I assume by "barely works" you mean works great, right? Because it does - work great that is. We've used it for at least 18 years with great success. .

For the same reason that Password1 is popular.

Re:No How To??

[Bruce+Dawson]

Yeah, seriously. Telling people that you are at risk of account compromise unless you do "X" and then giving zero instructions on how to do "X" is pretty terrible.

I did Google for instructions on how to disable Wpad and found the registry setting mentioned above, but it didn't seem clear whether that was sufficient. The instructions below saying "This should work for most users" just add to the confusion.

Re:No How To??

[zenlessyank]

Grandma rocks!

Re: No How To??

Why the fuck are you using an explicit proxy and not a firewall that scans traffic without requiring configuration?

Re:No How To??

[Ol+Olsoc]

Grandma rocks!

And don't take no crap from anyone either.

Re:No How To??

My grandma is Grace Murray Hopper, you insensitive clod

Re:No How To??

[pissoncutler]

If you want to do this in a single command, or batch file, I believe this will do the same:
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f /v "WpadOverride" /t REG_DWORD /d 1

Caveat: I'm more of a Linux guy, but with stack overflow and some trial and error, this worked on my Win10 system.

Re:No How To??

Err ... she didn't have any children.

Re: No How To??

[KiloByte]

Or better, consider every network to be untrusted. No nasty surprises this way.

Re:No How To??

[Attila+Dimedici]

Umm, when I went to the article there was a little box that showed the screen where you can disable it without going into the registry. Seriously, if you don't know how to disable it, I really hope you don't do ANYTHING to the registry.

Re:No How To??

[hparker]

When I tried to go to the illustrated panel, it looked totally different on my Windows 7 PC. Does it look the same on your PC? What version of Windows does that illustration apply to?

Re:No How To??

[cwsumner]

My grandma is Grace Murray Hopper, you insensitive clod

Err ... she didn't have any children.

That's a shame. Really. We need her DNA. 8-)

Googling does not tell me how to turn it off.

[jlbprof]

Unless I have Windows Server 2008 RC2. Any clues as to how to turn it off on Windows 10? I do not use proxy so I should turn it off regardless.

Re:Googling does not tell me how to turn it off.

For Windows 7 Ultimate SP1 64-bit:

sc config WinHttpAutoProxySvc start= disabled
sc stop WinHttpAutoProxySvc

And yes, the space after the equals sign (=) is needed to appease the sc.exe argument parser.

The service name may be something different on other Windows versions. To find out the service name, just go to Services and find the one that looks most relevant (read the description), double click on it, and it'll be shown next to "Service name". If it contains spaces, use double quotes around the service name when using sc.exe.

Re:Googling does not tell me how to turn it off.

[telchine]

For Windows 7 Ultimate SP1 64-bit:

sc config WinHttpAutoProxySvc start= disabled

C:\WINDOWS\system32>sc stop WinHttpAutoProxySvc
[SC] ControlService FAILED 1051:

A stop control has been sent to a service that other running services are dependent on.

WPAD?

[TechyImmigrant]

If you were finding the summary to be less than clear on WTF it was referring to.. WPAD = Web Proxy Autodiscovery Protocol.

Re:WPAD?

What happens when I turn it off?

Re: WPAD?

So the acronym for WPAP IS WPAD? I guess it should be more like Web Proxy AutoDiscovery protocol

Re: WPAD?

[TechyImmigrant]

So the acronym for WPAP IS WPAD? I guess it should be more like Web Proxy AutoDiscovery protocol

Yes and yes.

Re: WPAD?

[Jack_the_Tripper]

It stops working?

Maybe, I hear no doesn't mean no on windows anymore so...

Re:WPAD?

[Opportunist]

If you use a proxy and you don't have to configure windows to use it, this won't work anymore.

But since you're asking that question, I somewhat doubt that you have a proxy configured, and configured in such a way that it uses WPAD. In other words, turn that shit off, if nothing else, it's one less useless service clogging your machine.

Re:WPAD?

Thanks, I have never once heard it referred to as WPAD and figured some idiot was trying to inflate their story by using a made-up acronym. If they had just said "automatic proxy" it would have been immediately clear what the story was referring to.

Re:WPAD?

[TechyImmigrant]

Same here. It's always been autoproxy to me. I Googled, which the summary writer didn't.

stands for

Web Proxy Autodiscovery Protocol

Windows Versions?

Is this advice for Windows 10? Windows 8? Windows 7? Windows Vista? Windows XP? Windows NT? Windows 2000? Windows 98? Windows 95? Windows ME?

Re:Windows Versions?

[TechyImmigrant]

Is this advice for Windows 10? Windows 8? Windows 7? Windows Vista? Windows XP? Windows NT? Windows 2000? Windows 98? Windows 95? Windows ME?

Also Linux, iOS, Palm Pilot and KA9Q. The problem is in the protocol blindly fetching javascript and running it. Blame Netscape.

Re:Windows Versions?

Everything I've found says that it is not enabled by default in GNU/Linux or iOS.

Re:Windows Versions?

[TechyImmigrant]

Everything I've found says that it is not enabled by default in GNU/Linux or iOS.

Right. It isn't. The common scenario is your work laptop that has it configured in order to find the company proxy, but when outside that network, it will reach out and pick up anything proffered up with the same name.

Re:Windows Versions?

[Opportunist]

It isn't ... on what distribution? Do you really feel lucky and able to claim that it isn't for ALL distris out there?

Re:Windows Versions?

To say it will use anything with the same name doesn't cover all the scenarios. Yes, you can use it via DNS and that does indeed just use the name "proxy". However, you can also serve WPAD as a DHCP option (it works a lot more quickly than the DNS method) and it can serve an arbitrary name. A malicious network can use any server name they want and simply provide it as option 252 in DHCP.

Re:Windows Versions?

[TechyImmigrant]

It is one of the reasons I stopped using my work laptop outside of work, except at home on the VPN.

Re:Windows Versions?

[allo]

It probably is in your browser.

There are two variants:
a) via DHCP. Then your os needs to do stuff
b) Via DNS. Then your browser implements it. (Or your OS could do stuff, like setting environment variables).
I think the attack is about the DNS variant only.

Do I need to do this for Windows 7?

????

Re:Do I need to do this for Windows 7?

[Opportunist]

Yes. And 8, 8.1, 10, ... all and any of them. The how to is in the top post.

Re:Do I need to do this for Windows 7?

Are there chances that this is the weakness being used to track down Tor users who are using Windows OS?

What about Macs?

[Yvan256]

Is there any such setting to disable on OS X/macOS?

Re: What about Macs?

As per the article, OSX and iOS have fixed this vulnerability. Only Windows (and the Mozilla browser) have not fixed this issue.

How to turn off WPAD

[JustAnotherOldGuy]

This should work for most users:

1. Uncheck “Automatically detect settings” of Local Area Network (LAN) Settings in Internet Options.

2. Disable the service “WinHTTP Web Proxy Auto-Discovery Service” in Services.

3. Disable devolution by setting UseDomainNameDevolution value under the following registry entry to 0 (FALSE):

              HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

Re:How to turn off WPAD

[EvilSS]

Disabling domain devolution is not necessary and will break short-name resolution on domain joined machines where NetBIOS and WINS are disabled (which should be all of them if you like your sanity).

Re:How to turn off WPAD

[JustAnotherOldGuy]

Disabling domain devolution is not necessary and will break short-name resolution on domain joined machines where NetBIOS and WINS are disabled.

Thank you for pointing that out. (I'm not using a domain-joined PC myself but I'm sure lots of other people here are.)

Re:How to turn off WPAD

[Bruce+Dawson]

How is this better or different from the single-step option of setting the WpadOverride registry key to "1"? And since you say this "should work for most users", what users will it not work for?

It is unfortunate that the original article didn't explain this carefully (or at all, actually).

Re:How to turn off WPAD

[JustAnotherOldGuy]

How is this better or different from the single-step option of setting the WpadOverride registry key to "1"?

I don't know. Perhaps someone more savvy with WPAD than I can comment.

-

And since you say this "should work for most users", what users will it not work for?

As EvilSS mentioned, "disabling domain devolution is not necessary and will break short-name resolution on domain joined machines where NetBIOS and WINS are disabled". So I would guess it won't work for users with that environment.

Too late

a quick search on the Internet shows that these exact warnings about WPAD were given over 4 years ago.

Has anyone made a small program to disable this?

[YogicFlier]

If anyone made a program to disable this, you'd probably make some money. I don't want to try remotely editing the Registry on my mother's computer :-)

Re:WPAD? The Name Says It All

If you were finding the summary to be less than clear on WTF it was referring to.. WPAD = Web Proxy Autodiscovery Protocol.

I've done well over the past 20 years by just looking for marketingspeak and deactivating pre-emptively.

Insert a CD or device and then manually run SETUP.EXE? Fine. Insert a CD and let Autorun do it? Presume insecure. Disable.

DHCP is "Dynamic Host Configuration Protocol." No marketing name, but it works just fine and automagically gets me an IP. Something like Web Proxy Auto Discovery of an external service on the LAN? Presume insecure.

TV? Monitor? Fine. Smart TV? Literally a device with unpatchable firmware sitting on your network. Disable/block it.

Mounting a remote filesystem? Fine. Bonjour/Zeroconf = Presume insecure. (And while we're at it, File and Print "Sharing" done over port 137/138/139? NetBIOS/NetBEUI? REALLY?!?!?!)

Plug-and-Play (as the replacement for setting interrupts)? Works just fine. The totally related Universal Plug-and-Play, as in UDP Port 1900?) Presume insecure.

Setting up WPA2 with PSK? Works. WPS, originally known as "Wi-Fi Simple Config" with a push-button? Again, insecure

Actual programs that you run and that aren't tightly integrated to the OS? Fine. Windows Widgets and Gadgets because oooh, they're on the desktop and not in their own separate windows? No. Insecure.

Any service with a marketing-friendly name like "Smart" "Auto" "Easy" - and especially one enabled by default - must be presumed insecure and must be disabled.

Re:Has anyone made a small program to disable this

If anyone made a program to disable this, you'd probably make some money. I don't want to try remotely editing the Registry on my mother's computer :-)

$5 maybe. Not worth the effort.

Blackhat PDF's LOL

Article links to 2 PDF's hosted by Blackhat. Can't wait to read em!

Re:Has anyone made a small program to disable this

Why not? The registry isn't all that scary. It's just a config file, but in a binary, hierarchically-organized key-value store rather than a text file. Apparently, that scares some people. Some because it's The Registry, and some because "zomg binary config files are teh devil".

Back in the old days (the mid-90's), there were lots of stupid people griping about the registry. Fast forward two decades, and there are still a few fighting that sad, long-forgotten war. And those people (a group that largely overlaps with the binary-files-are-evil crowd) are still stupid.

The fact is, the registry hasn't been "unstable" since Win95+USB or possibly earlier, and you can't break your system by messing with the registry without really trying some Quirky-Ass Shit(tm). Unknown keys are simply ignored, and known keys with bad values only crash shitty software that you shouldn't be using anyway because it trusts data it doesn't control.

Any system-wide DWORD value (like the one to disable various parts of WPAD) is going to simply be handled like a C-int-as-a-boolean, where 0 == false and everything else is true. Simple rule to know whether it's safe to mess with a registry entry:
1) if it's a binary value, leave it the hell alone,
2) if it's a string and it's either not readable text or is text containing lots of numbers and delimiters (because some jackass programmer decided to parse a string instead of import a binary value), leave it the hell alone,
3) if you don't know what the hell it is just by looking at it, leave it the hell alone,
4) otherwise, it's not a big deal.

Overhyped?

[Dynamoo]

Sounds a bit overhyped to me, "You won't believe what happened when they connected to an untrusted network!"

Re:Overhyped?

Because you might at first read this as an attack on HTTPS, I can understand why you're skeptical.
This is however not an attack on HTTPS. Instead, what happens is that if WPAD is enabled, your browser tries (when it connects to a new network) to locate a computer named WPAD, through various ways ultimately falling back on the NetBIOS name, which users are on most networks free to specify themselves.
From this WPAD computer it downloads a bit of JavaScript, which must provide the browser with a function called FindProxyForURL. Some browsers will provide this function with the full URL of any page they visit, including HTTPS pages, which is kind of a big deal since everything after the host name is normally considered private in HTTPS sessions.
Now, the designers of WPAD tried to make it hard for the WPAD script to do anything nefarious, but it is allowed to make DNS requests, so if your browser does provide FindProxyForURL with full HTTPS URLs then the WPAD script can leak the URLs by pretending to perform DNS lookups which encode the full URL, which the WPAD computer can sniff, or in some scenarios even gets sent directly.
The thing is, you don't need WPAD. Unless in some very specific corporate scenarios where the WPAD computer is controlled by the company and cannot be bypassed, you really don't need it ever. So just disable it.

Re:WPAD? The Name Says It All

[TechyImmigrant]

You have done well Glasshopper.

^%^%^% THIS %^%^%^

overhyped because Slashdot is an FBI site. This story is bogus. Don't worry about this issue whatsoever.

ice pick.

Re:Blackhat PDF's LOL Slashdot -- --FBI SITE--

The story is bogus.

These are FBI faggots that went to school to learn criminal law and shit not tech.

Slashdot is a combination of SIGINT/HUMINT

What torrent sites do YOU use now :) :) :) Lying punks.
https://yro.slashdot.org/story/16/08/05/0329246/popular-bittorrent-search-engine-site-torrentzeu-mysteriously-disappears

8 year old news, but sadly still relevant

[random_ID]

I found an 8 year-old article (http://perimetergrid.com/wp/2008/01/11/wpad-internet-explorers-worst-feature/) about this and how to disable it with a simple Google search. I'm still glad Slashdot posted about it today because I would never have realized it was a problem. How has this vulnerability existed for almost a decade without being rectified?

Re:8 year old news, but sadly still relevant

Because Microsoft has been working on making the Windows 10 forced updater more efficient instead.

Linux HOWTO

[hduff]

http://maximumhoyt.blogspot.co...

Re:Linux HOWTO

[allo]

I think the guy is mixing up two different invulnerabilities. The one is about intercepting connections by sending a lot of ack packets, the other one is about faulty resolution of the dns-name for the wpad server.

Way to really turn this off and lock it down?

Anything in the User Hive is not secure so I hope there is a way to turn this off totally... Microsoft's site is not useful so I guess I will have to slog through GPEDIT since I use Pro to see if there is a policy that can lock this down in the OFF position.

At what point does all this become...

[QuietLagoon]

... "Stop using Windows NOW. No, seriously, stop using it NOW!" ?

Re:At what point does all this become...

When you post it? Ummm... now... ?

OS X users?

[billbennettnz]

Can someone in the know make a definitive statement about whether this affects OS X users and if it does what to do?

Re:OS X users?

[cmdrbuzz]

It does not affect Mac OS X.

WPAD is used to lookup the server that then supplies the proxy auto config file (proxy.pac).

On Mac OS X, under System Preferences, Network, Advanced, Auto Proxy Configuration.
You would have to type in the location manually, rather than the system using WPAD to attempt to locate it by itself.

So, Mac OS X is not vulnerable to this.

Re:Has anyone made a small program to disable this

Why create a program? Just create a reg file and copy/paste the above post of drinkypoo:

--copy starts here--
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadOverride"=dword:00000001
---copy ends here--

Copy then paste it into a registry file (without the hyphens), say "DisableMyWPAD.REG" then email to your mom tell her to double click this file. No need to build a program.

Exploit overstated. APRC?

[Macfox]

PAC Javascript isn't evaluated every time. IE uses APRC to cache results per host (not URL), so this significantly diminishes the capabilities of this exploit. To make this exploit work to the degree claimed, requires APRC to be disabled, which I suspect might have been done here.

You can disable this via the registry DWORD (0) at HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoproxyResultCache.

https://support.microsoft.com/...

Re:Exploit overstated. APRC?

FBI social engineering story.

Windows sucks, do not use.

HTTPS WPAD with self-sign?

Will WPAD even work with a self-signed certificate for the URL? If you have a private LAN with DHCP supplying the WPAD/PAC file URL, if the URL only has a self-signed certificate will that work? Is that functionally self-defeating due to an untrusted CA?

You can't can't get private IP certs anymore from trusted global CA's, and if you are in a mixed/ad-hoc environment you can't preload your own private CA onto every device. Is this basically the end of WPAD/PAC files for mixed environments then? What alternatives are there?