You're in a potentially malicious network (free WiFi, guest network, or maybe your own corporate LAN). You're a security conscious netizen so you restrict yourself to HTTPS (browsing to HSTS sites and/or using a "Force TLS/SSL" browser extension). All your traffic is protected from the first byte. Or is it?
We will demonstrate that, by forcing your browser/system to use a malicious PAC (Proxy AutoConfiguration) resource, it is possible to leak HTTPS URLs. We will explain how this affects the privacy of the user and how credentials/sessions can be stolen. We will present the concept of "PAC Malware" (a malware which is implemented only as Javascript logic in a PAC resource) that features: a 2-way communication channel between the PAC malware and an external server, contextual phishing via messages, denial-of-service options, and sensitive data extraction from URI's. We present a comprehensive browser PAC feature matrix and elaborate more about this cross-platform (Linux, Windows, Mac) and cross-browser (IE, Chrome, Safari) threat.
Itzik Kotler is CTO and Co-Founder of SafeBreach. Itzik has more than a decadeof experience researching and working in the computer security space. He is arecognized industry speaker, having spoken at DEFCON, Black Hat USA, Hack InThe Box, RSA, CCC and H2HC. Prior to founding SafeBreach, Itzik served as CTOat Security-Art, an information security consulting firm, and before that hewas SOC Team Leader at Radware. (NASDQ: RDWR).
Amit Klein is a world renowned information security expert, with 24 years ininformation security and over 30 published technical papers on this topic.Amit is VP Security Research at SafeBreach, responsible for researchingvarious infiltration, exfiltration and lateral movement attacks. BeforeSafeBreach, Amit was CTO for Trusteer (acquired by IBM) for 8.5 years. Priorto Trusteer, Amit was chief scientist for Cyota (acquired by RSA) for 2 years,and prior to that, director of Security and Research for Sanctum (acquired byWatchfire, now part of IBM security division) for 7 years. Amit has a B.Sc.from the Hebrew University (magna cum laude, Talpiot program), recognized byInfoWorld as a CTO of the year 2010 , and has presented at RSA, OWASP,CertConf, BlueHat, CyberTech, APWG and AusCERT.