Slashdot Mirror

← Back to Stories (view on slashdot.org)

Disable WPAD Now or Have Your Accounts Compromised, Researchers Warn (csoonline.com)

Posted by EditorDavid on from the Web-Proxy-Auto-Discovery dept.

It's enabled by default on Windows (and supported by other operating systems) -- but now security researchers are warning that "Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections," according to CSO. Slashdot reader itwbennett writes: Their advice: disable WPAD now. "No seriously, turn off WPAD!" one of their presentation slides said. "If you still need to use PAC files, turn off WPAD and configure an explicit URL for your PAC script; and serve it over HTTPS or from a local file"... A few days before their presentation, two other researchers named Itzik Kotler and Amit Klein independently showed the same HTTPS URL leak via malicious PACs in a presentation at the Black Hat security conference. A third researcher, Maxim Goncharov, held a separate Black Hat talk about WPAD security risks, entitled BadWPAD.

11 of 75 comments (clear)

  1. No How To?? by zenlessyank · · Score: 5, Informative

    To prevent Windows from tracking which network support WPAD, you need to make a simple registry change:

            Click the Start button, and in the search field, type in "regedit", then select "regedit.exe" from the list of results
            Navigate through the tree to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad"
            Once you have the "Wpad" folder selected, right click in the right pane, and click on "New -> DWORD (32-Bit Value)"
            Name this new value "WpadOverride"
            Double click the new "WpadOverride" value to edit it
            In the "Value data" field, replace the "0" with a "1", then click "OK"
            Reboot the computer

    1. Re:No How To?? by drinkypoo · · Score: 4, Informative

      Windows Registry Editor Version 5.00

      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
      "WpadOverride"=dword:00000001

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re: No How To?? by Anonymous Coward · · Score: 4, Informative

      You don't need to mess around in the registry and reboot.

      All you have to do is go into Internet Options (control panel) > Connections > LAN Settings

      Uncheck the top box labeled Automatically detect settings.

      There are GPOs for this as well. And this is not anything close to news. Most companies already disable this in Group Policy because it barely works and is obviously horrifically insecure to anyone that even starts to look into how it works.

    3. Re:No How To?? by Ol+Olsoc · · Score: 2

      To prevent Windows from tracking which network support WPAD, you need to make a simple registry change:

      That's the method that Grandma uses.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  2. WPAD? by TechyImmigrant · · Score: 5, Informative

    If you were finding the summary to be less than clear on WTF it was referring to.. WPAD = Web Proxy Autodiscovery Protocol.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  3. How to turn off WPAD by JustAnotherOldGuy · · Score: 3, Informative

    This should work for most users:

    1. Uncheck “Automatically detect settings” of Local Area Network (LAN) Settings in Internet Options.

    2. Disable the service “WinHTTP Web Proxy Auto-Discovery Service” in Services.

    3. Disable devolution by setting UseDomainNameDevolution value under the following registry entry to 0 (FALSE):

                  HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:How to turn off WPAD by EvilSS · · Score: 2

      Disabling domain devolution is not necessary and will break short-name resolution on domain joined machines where NetBIOS and WINS are disabled (which should be all of them if you like your sanity).

      --
      I browse on +1 so AC's need not respond, I won't see it.
  4. Re:Windows Versions? by TechyImmigrant · · Score: 2

    Everything I've found says that it is not enabled by default in GNU/Linux or iOS.

    Right. It isn't. The common scenario is your work laptop that has it configured in order to find the company proxy, but when outside that network, it will reach out and pick up anything proffered up with the same name.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  5. Re:WPAD? The Name Says It All by TechyImmigrant · · Score: 2

    You have done well Glasshopper.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  6. 8 year old news, but sadly still relevant by random_ID · · Score: 3, Interesting

    I found an 8 year-old article (http://perimetergrid.com/wp/2008/01/11/wpad-internet-explorers-worst-feature/) about this and how to disable it with a simple Google search. I'm still glad Slashdot posted about it today because I would never have realized it was a problem. How has this vulnerability existed for almost a decade without being rectified?

  7. At what point does all this become... by QuietLagoon · · Score: 3, Insightful

    ... "Stop using Windows NOW. No, seriously, stop using it NOW!" ?