CVE-2016-3763

Information disclosure vulnerability in Proxy Auto-Config

Publish date

July 2016

Identifier

CVE-2016-3763

Manufacturer

Google

Product

Android

Patched

http://source.android.com/security/bulletin/2016-07-01.html

Authors

Paul Stone, Alex Chapman

Description

We discovered an issue with the way many web browsers and operating systems handle Proxy Auto-Config (PAC) files. PAC files are JavaScript code that tell the browser which proxy to use when trying to reach a particular URL. If an attacker can get your browser to use a malicious PAC file (for example via a rogue access point or WPAD injection attacks), they can use JavaScript code to monitor the full HTTPS URL of every web request your browser makes. HTTPS URLs can contain sensitive information such as search terms and security tokens used for logging into websites.

Due to Windows' default proxy settings, many browsers and applications auto-discover PAC files using the Web Proxy Auto-Discovery (WPAD) protocol. An attacker on a local network (or even in some cases a remote Internet-based attacker) can force browsers to use a malicious PAC file, and then have full visibility of all HTTPS URLs the user visits.
Whilst primarily a Windows issue, Android, OS X and iOS may be vulnerable to PAC HTTPS leaks when network connections are specifically configured to use PAC files.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3763

 

CREST
CREST STAR
CHECK IT Health Check Service
CBEST
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor
NCSC CCSC - Assured Service Provider