- Updated slides: Toxic Proxies - Bypassing HTTPS and VPNs to Pwn Your Online Identity
- DefCon talk: YouTube
- Video demonstration: YouTube
- Source code: GitHub
Presentation and Demonstations
These materials were first presented at our DEF CON presentation Toxic Proxies - Bypassing HTTPS and VPNs to Pwn Your Online Identity at DEF CON 24.
In our talk, we demonstrated several different attacks that are possible as a result of the PAC HTTPS leak. These include:
- Passively monitoring the user's encrypted search queries and visited websites
- Actively probing social media sites to discover the user's online identities and other information
- Forcing OAuth authentication requests and stealing the resulting tokens, taking control of several user accounts
- Stealing Google SSO tokens to gain partial access to the user's photos, email, calendar, and location history
- Stealing files from the user's Google Drive account.
To demonstrate our attacks, we wrote a Python script that runs a combined web server and DNS server. The architecture creates a Command & Control (C2) loop between the attacker's server and the user's browser.
As shown above, there are two components on each side. On the attacker's side are a web server and DNS server.
We have released the source code for our demo server, which is available on GitHub.