Connect with us

Hi, what are you looking for?


Data Protection

WPAD Name Collision Flaw Allows MitM Attacks

A vulnerability in the Web Proxy Auto-Discovery (WPAD) protocol can be exploited by malicious actors to launch man-in-the-middle (MitM) attacks against enterprise users, researchers warned.

A vulnerability in the Web Proxy Auto-Discovery (WPAD) protocol can be exploited by malicious actors to launch man-in-the-middle (MitM) attacks against enterprise users, researchers warned.

WPAD is used by organizations to ensure that all their systems have the same web proxy configuration. When a device is connected to the network, it uses WPAD to find the proxy configuration file via DHCP or DNS, and applies it automatically.

The protocol is enabled by default in the Microsoft Windows operating system and the Internet Explorer web browser. WPAD is not enabled by default, but it is supported on OS X and Linux operating systems, and the Chrome, Safari and Firefox browsers.

WPAD has been known to be vulnerable, but researchers from Verisign and University of Michigan have now identified a new attack vector that can pose a serious risk to enterprises.

The problem, according to experts, is related to the fact that many enterprises create internal namespaces such as .corp, .dev and .network for their corporate Active Directory and Lightweight Directory Access Protocol (LDAP) deployments. This should normally not be an issue because these internal TLDs (iTLDs) are meant to be served only from internal name servers.

However, with the introduction of many new generic TLDs (gTLDs), it’s possible that domains created for internal use also exist on the public Internet, which leads to a name collision.

WPAD DNS queries that should be resolved by enterprise DNS servers are known to reach public DNS servers and with the introduction of new gTLDs, malicious actors can take advantage of the name collision to launch MitM attacks.

For example, if an organization’s employee connects a corporate laptop to an external network (e.g. at a coffee shop or their home), the system attempts to discover the corporate WPAD server. However, instead of the organization’s internal DNS server, the request goes to public DNS servers, resulting in internal namespace WPAD query leakage.

Advertisement. Scroll to continue reading.

If a malicious actor registers a domain used by an organization and configures an external proxy for network traffic, they can launch MitM attacks over the Internet and intercept credentials and other sensitive information.

“We observed that roughly 20 million vulnerable queries are seen every day that could be leveraged to exploit MitM attacks, using a combination of the WPAD protocol and name collisions,” researchers said. “What makes this vector so dangerous is that attackers need not be on path, or waiting to spoof responses to DNS queries at just the right time. Attackers can remain off-path and always on, and just wait for willing victims to query them. This effectively enables a large-scale high success probability Watering Hole attack, where an attacker knows with high confidence that victims will visit persistently and be vulnerable and easily exploited.”

The report published by researchers includes a series of recommendations that should thwart attacks. US-CERT has also released an advisory, advising organizations to consider disabling automatic proxy discovery, consider using a fully qualified domain name for the internal namespace, configure internal name servers to respond authoritatively to iTLD queries, and use firewalls and proxies to log and block outbound requests for WPAD files.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

More People On The Move

Expert Insights