Publish date
July 2016
Identifier
CVE-2016-3763
Manufacturer
Product
Android
Patched
http://source.android.com/security/bulletin/2016-07-01.html
Authors
Paul Stone, Alex Chapman
Description
We discovered an issue with the way many web browsers and operating systems handle Proxy Auto-Config (PAC) files. PAC files are JavaScript code that tell the browser which proxy to use when trying to reach a particular URL. If an attacker can get your browser to use a malicious PAC file (for example via a rogue access point or WPAD injection attacks), they can use JavaScript code to monitor the full HTTPS URL of every web request your browser makes. HTTPS URLs can contain sensitive information such as search terms and security tokens used for logging into websites.
Due to Windows' default proxy settings, many browsers and applications auto-discover PAC files using the Web Proxy Auto-Discovery (WPAD) protocol. An attacker on a local network (or even in some cases a remote Internet-based attacker) can force browsers to use a malicious PAC file, and then have full visibility of all HTTPS URLs the user visits.
Whilst primarily a Windows issue, Android, OS X and iOS may be vulnerable to PAC HTTPS leaks when network connections are specifically configured to use PAC files.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3763