Disable WPAD Now or Have Your Accounts Compromised, Researchers Warn

It's enabled by default on Windows (and supported by other operating systems) -- but now security researchers are warning that "Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections," according to CSO. Slashdot reader itwbennett writes: Their advice: disable WPAD now. "No seriously, turn off WPAD!" one of their presentation slides said. "If you still need to use PAC files, turn off WPAD and configure an explicit URL for your PAC script; and serve it over HTTPS or from a local file"... A few days before their presentation, two other researchers named Itzik Kotler and Amit Klein independently showed the same HTTPS URL leak via malicious PACs in a presentation at the Black Hat security conference. A third researcher, Maxim Goncharov, held a separate Black Hat talk about WPAD security risks, entitled BadWPAD.

No How To??

[zenlessyank]

To prevent Windows from tracking which network support WPAD, you need to make a simple registry change:

        Click the Start button, and in the search field, type in "regedit", then select "regedit.exe" from the list of results
        Navigate through the tree to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad"
        Once you have the "Wpad" folder selected, right click in the right pane, and click on "New -> DWORD (32-Bit Value)"
        Name this new value "WpadOverride"
        Double click the new "WpadOverride" value to edit it
        In the "Value data" field, replace the "0" with a "1", then click "OK"
        Reboot the computer

Re:No How To??

[drinkypoo]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadOverride"=dword:00000001

Re:No How To??

[wwphx]

Thank you. I was a little stunned that there was no info in the TFA to disable it.

Re: No How To??

You don't need to mess around in the registry and reboot.

All you have to do is go into Internet Options (control panel) > Connections > LAN Settings

Uncheck the top box labeled Automatically detect settings.

There are GPOs for this as well. And this is not anything close to news. Most companies already disable this in Group Policy because it barely works and is obviously horrifically insecure to anyone that even starts to look into how it works.

Re:No How To??

Also from what I can tell this is a local network attack.

So if you never take your computer of your home network dont panic too much.

If you plug your computer into remote networks (your local bistro, etc) this could be an issue.

This sort of attack has been known for awhile with pac files. I was considering setting up this very thing on my home network. But I quickly figured out it was an easy way for someone to inject javascript into every web page I am on. Pac files have pretty much full control of every web page loaded. So I am stuck with manual config for proxy setup :( Which is a pain because I want to re-ip my whole network.

Re: No How To??

[ColdWetDog]

To remediate the risks, you can simply require that your users always use VPN back to corpnet and don't browse the web on untrusted networks such as hotels, airports, coffee shops and the like.

'Don't use untrusted networks' Giggle. Snort. Cough.

Re:No How To??

[Ol+Olsoc]

To prevent Windows from tracking which network support WPAD, you need to make a simple registry change:

That's the method that Grandma uses.

Re: No How To??

[Ol+Olsoc]

I assume by "barely works" you mean works great, right? Because it does - work great that is. We've used it for at least 18 years with great success. .

For the same reason that Password1 is popular.

Re:No How To??

[Bruce+Dawson]

Yeah, seriously. Telling people that you are at risk of account compromise unless you do "X" and then giving zero instructions on how to do "X" is pretty terrible.

I did Google for instructions on how to disable Wpad and found the registry setting mentioned above, but it didn't seem clear whether that was sufficient. The instructions below saying "This should work for most users" just add to the confusion.

Re:No How To??

[zenlessyank]

Grandma rocks!

Re:No How To??

[Ol+Olsoc]

Grandma rocks!

And don't take no crap from anyone either.

Re:No How To??

[pissoncutler]

If you want to do this in a single command, or batch file, I believe this will do the same:
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f /v "WpadOverride" /t REG_DWORD /d 1

Caveat: I'm more of a Linux guy, but with stack overflow and some trial and error, this worked on my Win10 system.

Re: No How To??

[KiloByte]

Or better, consider every network to be untrusted. No nasty surprises this way.

Re:No How To??

[Attila+Dimedici]

Umm, when I went to the article there was a little box that showed the screen where you can disable it without going into the registry. Seriously, if you don't know how to disable it, I really hope you don't do ANYTHING to the registry.

Re:No How To??

[hparker]

When I tried to go to the illustrated panel, it looked totally different on my Windows 7 PC. Does it look the same on your PC? What version of Windows does that illustration apply to?

Re:No How To??

[cwsumner]

My grandma is Grace Murray Hopper, you insensitive clod

Err ... she didn't have any children.

That's a shame. Really. We need her DNA. 8-)

Googling does not tell me how to turn it off.

[jlbprof]

Unless I have Windows Server 2008 RC2. Any clues as to how to turn it off on Windows 10? I do not use proxy so I should turn it off regardless.

Re:Googling does not tell me how to turn it off.

[telchine]

For Windows 7 Ultimate SP1 64-bit:

sc config WinHttpAutoProxySvc start= disabled

C:\WINDOWS\system32>sc stop WinHttpAutoProxySvc
[SC] ControlService FAILED 1051:

A stop control has been sent to a service that other running services are dependent on.

WPAD?

[TechyImmigrant]

If you were finding the summary to be less than clear on WTF it was referring to.. WPAD = Web Proxy Autodiscovery Protocol.

Re: WPAD?

[TechyImmigrant]

So the acronym for WPAP IS WPAD? I guess it should be more like Web Proxy AutoDiscovery protocol

Yes and yes.

Re: WPAD?

[Jack_the_Tripper]

It stops working?

Maybe, I hear no doesn't mean no on windows anymore so...

Re:WPAD?

[Opportunist]

If you use a proxy and you don't have to configure windows to use it, this won't work anymore.

But since you're asking that question, I somewhat doubt that you have a proxy configured, and configured in such a way that it uses WPAD. In other words, turn that shit off, if nothing else, it's one less useless service clogging your machine.

Re:WPAD?

[TechyImmigrant]

Same here. It's always been autoproxy to me. I Googled, which the summary writer didn't.

What about Macs?

[Yvan256]

Is there any such setting to disable on OS X/macOS?

Re:Windows Versions?

[TechyImmigrant]

Is this advice for Windows 10? Windows 8? Windows 7? Windows Vista? Windows XP? Windows NT? Windows 2000? Windows 98? Windows 95? Windows ME?

Also Linux, iOS, Palm Pilot and KA9Q. The problem is in the protocol blindly fetching javascript and running it. Blame Netscape.

How to turn off WPAD

[JustAnotherOldGuy]

This should work for most users:

1. Uncheck “Automatically detect settings” of Local Area Network (LAN) Settings in Internet Options.

2. Disable the service “WinHTTP Web Proxy Auto-Discovery Service” in Services.

3. Disable devolution by setting UseDomainNameDevolution value under the following registry entry to 0 (FALSE):

              HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

Re:How to turn off WPAD

[EvilSS]

Disabling domain devolution is not necessary and will break short-name resolution on domain joined machines where NetBIOS and WINS are disabled (which should be all of them if you like your sanity).

Re:How to turn off WPAD

[JustAnotherOldGuy]

Disabling domain devolution is not necessary and will break short-name resolution on domain joined machines where NetBIOS and WINS are disabled.

Thank you for pointing that out. (I'm not using a domain-joined PC myself but I'm sure lots of other people here are.)

Re:How to turn off WPAD

[Bruce+Dawson]

How is this better or different from the single-step option of setting the WpadOverride registry key to "1"? And since you say this "should work for most users", what users will it not work for?

It is unfortunate that the original article didn't explain this carefully (or at all, actually).

Re:How to turn off WPAD

[JustAnotherOldGuy]

How is this better or different from the single-step option of setting the WpadOverride registry key to "1"?

I don't know. Perhaps someone more savvy with WPAD than I can comment.

-

And since you say this "should work for most users", what users will it not work for?

As EvilSS mentioned, "disabling domain devolution is not necessary and will break short-name resolution on domain joined machines where NetBIOS and WINS are disabled". So I would guess it won't work for users with that environment.

Has anyone made a small program to disable this?

[YogicFlier]

If anyone made a program to disable this, you'd probably make some money. I don't want to try remotely editing the Registry on my mother's computer :-)

Re:WPAD? The Name Says It All

If you were finding the summary to be less than clear on WTF it was referring to.. WPAD = Web Proxy Autodiscovery Protocol.

I've done well over the past 20 years by just looking for marketingspeak and deactivating pre-emptively.

Insert a CD or device and then manually run SETUP.EXE? Fine. Insert a CD and let Autorun do it? Presume insecure. Disable.

DHCP is "Dynamic Host Configuration Protocol." No marketing name, but it works just fine and automagically gets me an IP. Something like Web Proxy Auto Discovery of an external service on the LAN? Presume insecure.

TV? Monitor? Fine. Smart TV? Literally a device with unpatchable firmware sitting on your network. Disable/block it.

Mounting a remote filesystem? Fine. Bonjour/Zeroconf = Presume insecure. (And while we're at it, File and Print "Sharing" done over port 137/138/139? NetBIOS/NetBEUI? REALLY?!?!?!)

Plug-and-Play (as the replacement for setting interrupts)? Works just fine. The totally related Universal Plug-and-Play, as in UDP Port 1900?) Presume insecure.

Setting up WPA2 with PSK? Works. WPS, originally known as "Wi-Fi Simple Config" with a push-button? Again, insecure

Actual programs that you run and that aren't tightly integrated to the OS? Fine. Windows Widgets and Gadgets because oooh, they're on the desktop and not in their own separate windows? No. Insecure.

Any service with a marketing-friendly name like "Smart" "Auto" "Easy" - and especially one enabled by default - must be presumed insecure and must be disabled.

Blackhat PDF's LOL

Article links to 2 PDF's hosted by Blackhat. Can't wait to read em!

Re:Windows Versions?

[TechyImmigrant]

Everything I've found says that it is not enabled by default in GNU/Linux or iOS.

Right. It isn't. The common scenario is your work laptop that has it configured in order to find the company proxy, but when outside that network, it will reach out and pick up anything proffered up with the same name.

Overhyped?

[Dynamoo]

Sounds a bit overhyped to me, "You won't believe what happened when they connected to an untrusted network!"

Re:Overhyped?

Because you might at first read this as an attack on HTTPS, I can understand why you're skeptical.
This is however not an attack on HTTPS. Instead, what happens is that if WPAD is enabled, your browser tries (when it connects to a new network) to locate a computer named WPAD, through various ways ultimately falling back on the NetBIOS name, which users are on most networks free to specify themselves.
From this WPAD computer it downloads a bit of JavaScript, which must provide the browser with a function called FindProxyForURL. Some browsers will provide this function with the full URL of any page they visit, including HTTPS pages, which is kind of a big deal since everything after the host name is normally considered private in HTTPS sessions.
Now, the designers of WPAD tried to make it hard for the WPAD script to do anything nefarious, but it is allowed to make DNS requests, so if your browser does provide FindProxyForURL with full HTTPS URLs then the WPAD script can leak the URLs by pretending to perform DNS lookups which encode the full URL, which the WPAD computer can sniff, or in some scenarios even gets sent directly.
The thing is, you don't need WPAD. Unless in some very specific corporate scenarios where the WPAD computer is controlled by the company and cannot be bypassed, you really don't need it ever. So just disable it.

Re:Windows Versions?

[Opportunist]

It isn't ... on what distribution? Do you really feel lucky and able to claim that it isn't for ALL distris out there?

Re:Do I need to do this for Windows 7?

[Opportunist]

Yes. And 8, 8.1, 10, ... all and any of them. The how to is in the top post.

Re:WPAD? The Name Says It All

[TechyImmigrant]

You have done well Glasshopper.

8 year old news, but sadly still relevant

[random_ID]

I found an 8 year-old article (http://perimetergrid.com/wp/2008/01/11/wpad-internet-explorers-worst-feature/) about this and how to disable it with a simple Google search. I'm still glad Slashdot posted about it today because I would never have realized it was a problem. How has this vulnerability existed for almost a decade without being rectified?

Linux HOWTO

[hduff]

http://maximumhoyt.blogspot.co...

Re:Linux HOWTO

[allo]

I think the guy is mixing up two different invulnerabilities. The one is about intercepting connections by sending a lot of ack packets, the other one is about faulty resolution of the dns-name for the wpad server.

At what point does all this become...

[QuietLagoon]

... "Stop using Windows NOW. No, seriously, stop using it NOW!" ?

OS X users?

[billbennettnz]

Can someone in the know make a definitive statement about whether this affects OS X users and if it does what to do?

Re:OS X users?

[cmdrbuzz]

It does not affect Mac OS X.

WPAD is used to lookup the server that then supplies the proxy auto config file (proxy.pac).

On Mac OS X, under System Preferences, Network, Advanced, Auto Proxy Configuration.
You would have to type in the location manually, rather than the system using WPAD to attempt to locate it by itself.

So, Mac OS X is not vulnerable to this.

Re:Do I need to do this for Windows 7?

Are there chances that this is the weakness being used to track down Tor users who are using Windows OS?

Exploit overstated. APRC?

[Macfox]

PAC Javascript isn't evaluated every time. IE uses APRC to cache results per host (not URL), so this significantly diminishes the capabilities of this exploit. To make this exploit work to the degree claimed, requires APRC to be disabled, which I suspect might have been done here.

You can disable this via the registry DWORD (0) at HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoproxyResultCache.

https://support.microsoft.com/...

Re:Windows Versions?

[TechyImmigrant]

It is one of the reasons I stopped using my work laptop outside of work, except at home on the VPN.

Re:Windows Versions?

[allo]

It probably is in your browser.

There are two variants:
a) via DHCP. Then your os needs to do stuff
b) Via DNS. Then your browser implements it. (Or your OS could do stuff, like setting environment variables).
I think the attack is about the DNS variant only.