You may not know what HTTP is exactly, but you definitely know that every single website you visit starts with it. Without the Hypertext Transfer Protocol, there’d be no easy way to view all the text, media, and data that you’re able to see online. However, all communication between your browser and a website are unencrypted, which means it can be eavesdropped on.
This is where HTTPS comes in, the “S” standing for “Secure.” It’s an encrypted way to communicate between browser and website so that your data stays safe. While it was used mostly in banking, shopping, and other high-security situations, it’s now common for many websites such as Facebook, Google, and even Wikipedia to protect your information with HTTPS. And it’s most important when you’re browsing the internet on free Wi-Fi hotspots, guest networks, and other non-private access points.
You’re in a potentially malicious network (free WiFi, guest network, or maybe your own corporate LAN). You’re a security conscious netizen so you restrict yourself to HTTPS (browsing to HSTS sites and/or using a “Force TLS/SSL” browser extension). All your traffic is protected from the first byte. Or is it?
Talking with ArsTechnica, Itzik Kotler of SafeBreach, clarified:
We show that HTTPS cannot provide security when WPAD is enabled. Therefore, a lot of people are actually exposed to this attack when they engage in browsing via non-trusted networks.
What does all this mean exactly, in laymen’s terms? What you actually do on those HTTPS sites is still safe from prying eyes, but the full URL that you visit is not. It sounds innocent enough, but if that URL contains a security token, it could allow hackers to gain full control of your account. WPAD is fairly simple for hackers to take advantage of with MitM tools easily available for Metasploit, and has been exploited before in other ways.
This attack can be carried out on Linux, Mac, or Windows systems, but primarily the latter since it is the only one that is enabled by default with Internet Explorer. WPAD is not automatically enabled in Mac OS X or Linux, nor on Safari, Chrome, or Firefox browsers, so you shouldn’t have to do anything on your end to protect yourself unless you use Microsoft Windows.