Proxy authentication flaw affects Apple, Microsoft, Oracle, Opera
The FalseCONNECT vulnerability allows the compromise of many products and applications, including Apple, Microsoft, Opera, and Oracle products.
A security researcher discovered vulnerabilities affecting the implementation of proxy authentication that could lead to an attacker successfully launching man-in-the-middle attacks and intercepting HTTPS traffic.
The vulnerability (VU#905344), dubbed “FalseCONNECT,” allows the compromise of many products and applications, including Apple, Microsoft, Opera, and Oracle products. The flaw involves “HTTP/1.0 407 Proxy Authentication Required” connection requests.
Security researcher Jerry Decime created a website that provides vulnerability details. The flaws affecting Apple compromised HTTPS trust in all iOS versions “since at least iOS 5.1.1 for OS trust components, Safari, Opera, and applications utilizing WebKit when using proxies,” he wrote on the FalseCONNECT.com website. These flaws affecting Apple were patched as part of the iOS 9.3.3 update in July.
The flaw also affects HTTPS trust failures involving proxy connections used with Safari and apps that use Apple's WebKit engine, including and Google Drive. Other products may still be affected, according to a CERT advisory.
The vulnerability only impacts network environments in which individuals use a proxy connection for online access. “In a twist of irony, those who took steps to guard their privacy and security through the use of a proxy were potentially the ones most exposed by this vulnerability,” Decime wrote.
The CERT advisory suggests that users avoid using a proxy connection from untrusted networks, such as public Wi-Fi. “Using a proxy-configured client on an untrusted network increases the chance of falling victim to a MITM attack,” the alert stated.During a Black Hat 2016 presentation earlier this month, Shape Security senior security researcher Maxim Goncharov demonstrated the remote exploitation of autoproxy configurations. He wrote in an email to SCMagazine.com that he was able to collect about 80 million requests. The combination of VU#905344 and WPAD vulnerability is “can be very dangerous,” Goncharov wrote.