It’s enabled by default on Windows (and supported by other operating systems) — but now security researchers are warning that “Man-in-the-middle attackers can abuse the WPAD protocol to hijack people’s online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections,” according to CSO. Slashdot reader itwbennett writes: Their advice: disable WPAD now. “No seriously, turn off WPAD!” one of their presentation slides said. “If you still need to use PAC files, turn off WPAD and configure an explicit URL for your PAC script; and serve it over HTTPS or from a local file”… A few days before their presentation, two other researchers named Itzik Kotler and Amit Klein independently showed the same HTTPS URL leak via malicious PACs in a presentation at the Black Hat security conference. A third researcher, Maxim Goncharov, held a separate Black Hat talk about WPAD security risks, entitled BadWPAD.
Read more of this story at Slashdot.