Proxy authentication flaw can be exploited to crack HTTPS protection

Mistakes made in the implementation of proxy authentication in a variety of operating systems and applications have resulted in security vulnerabilities that allow MitM attackers to effectively hijack HTTPS sessions, security researcher Jerry Decime has discovered.

It has been confirmed that the flaw – dubbed FalseCONNECT – affects products by Apple, Microsoft, Opera and Oracle. Lenovo says that their products are not vulnerable, but other vendors who have been notified of the flaw’s existence are yet to comment on this issue.

“Web browsers and operating systems making a HTTPS request via a proxy server are vulnerable to man-in-the-middle (MITM) attacks against HTTP CONNECT requests and proxy response messages. HTTP CONNECT requests are made in clear text over HTTP, meaning an attacker in the position to modify proxy traffic may force the use of 407 Proxy Authentication Required responses to phish for credentials,” Carnegie Mellon University’s CERT/CC has explained.

“WebKit-based clients are vulnerable to additional vectors due to the fact that HTML markup and JavaScript are rendered by the client Document Object Model (DOM) in the context of the originally requested HTTPS domain.”

Decime set up a dedicated website to share technical details about the flaw and how it affects various products, and has started with Apple’s iOS and OS X. The vulnerability impacts WebKit, so any iOS or OS X application that uses WebKit when using proxies is also vulnerable (iTunes, Google Drive, Safari, etc.).

He says that all users that use proxies – with or without their knowledge – may be impacted by this vulnerability. This includes users whose company requires the use of proxies to connect to the Internet.

“Are you a government employee or police officer? Many government agencies and corporations utilize proxies for network optimization and as a layer of protection for their users. You might not even know you’re vulnerable if you’ve installed a proxy auto configuration (PAC) file from a WiFi hotspot or have employer controlled device management software on your iPhone, iPad, Android device, Chromebook, Mac, or PC which configures a proxy for you,” he noted, adding that Windows users are likely also affected as Microsoft enabled automatic proxy configuration by default.

“Are you a human rights, political, or privacy advocate, or someone who chose to use a VPN provider in conjunction with a privacy proxy for that added bit of safety? You might be impacted,” he also pointed out.

“Your secure communications could have been intercepted or tampered with by anyone exploiting this vulnerability via a WiFi evil-twin network or OpenLTE based cellular communications interception solution. Nation state actors with access to Stingray devices and nation level networking gateways could have exploited the FalseCONNECT vulnerabilities.”

Exploitation of the flaws requires the attacker to already have a MitM position on the network which targeted users are a part of. The really bad news is that most if not all victims won’t notice the attack as, for as far as they can see, there is no indication that the connection isn’t secure.

Until more vendors come up with fixes (Apple already has), users are advised to avoid using proxy-configured clients while connected to untrusted networks, and to disable proxy configuration settings if they don’t need them.