Slashdot Mirror

← Back to Stories (view on slashdot.org)

Disable WPAD Now or Have Your Accounts Compromised, Researchers Warn (csoonline.com)

Posted by EditorDavid on from the Web-Proxy-Auto-Discovery dept.

It's enabled by default on Windows (and supported by other operating systems) -- but now security researchers are warning that "Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections," according to CSO. Slashdot reader itwbennett writes: Their advice: disable WPAD now. "No seriously, turn off WPAD!" one of their presentation slides said. "If you still need to use PAC files, turn off WPAD and configure an explicit URL for your PAC script; and serve it over HTTPS or from a local file"... A few days before their presentation, two other researchers named Itzik Kotler and Amit Klein independently showed the same HTTPS URL leak via malicious PACs in a presentation at the Black Hat security conference. A third researcher, Maxim Goncharov, held a separate Black Hat talk about WPAD security risks, entitled BadWPAD.

5 of 75 comments (clear)

  1. No How To?? by zenlessyank · · Score: 5, Informative

    To prevent Windows from tracking which network support WPAD, you need to make a simple registry change:

            Click the Start button, and in the search field, type in "regedit", then select "regedit.exe" from the list of results
            Navigate through the tree to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad"
            Once you have the "Wpad" folder selected, right click in the right pane, and click on "New -> DWORD (32-Bit Value)"
            Name this new value "WpadOverride"
            Double click the new "WpadOverride" value to edit it
            In the "Value data" field, replace the "0" with a "1", then click "OK"
            Reboot the computer

    1. Re:No How To?? by drinkypoo · · Score: 4, Informative

      Windows Registry Editor Version 5.00

      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
      "WpadOverride"=dword:00000001

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re: No How To?? by Anonymous Coward · · Score: 4, Informative

      You don't need to mess around in the registry and reboot.

      All you have to do is go into Internet Options (control panel) > Connections > LAN Settings

      Uncheck the top box labeled Automatically detect settings.

      There are GPOs for this as well. And this is not anything close to news. Most companies already disable this in Group Policy because it barely works and is obviously horrifically insecure to anyone that even starts to look into how it works.

  2. WPAD? by TechyImmigrant · · Score: 5, Informative

    If you were finding the summary to be less than clear on WTF it was referring to.. WPAD = Web Proxy Autodiscovery Protocol.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  3. How to turn off WPAD by JustAnotherOldGuy · · Score: 3, Informative

    This should work for most users:

    1. Uncheck “Automatically detect settings” of Local Area Network (LAN) Settings in Internet Options.

    2. Disable the service “WinHTTP Web Proxy Auto-Discovery Service” in Services.

    3. Disable devolution by setting UseDomainNameDevolution value under the following registry entry to 0 (FALSE):

                  HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

    --
    Just cruising through this digital world at 33 1/3 rpm...