Security researchers are warning that all Windows users need to disable the Web Proxy Auto-Discovery Protocol (WPAD) as it exposes users' online accounts, web searches, and sensitive information even if they are accessing websites over encrypted HTTPS or VPN connections.

The Web Proxy Auto-Discovery Protocol (WPAD) was invented in 1999. It enables computers to automatically discover which web proxy they should be using for a specific URL, with the proxy defined in a JavaScript file known as a proxy auto-config (PAC) file.

So, if you were to take your Windows laptop out of the office, away from the corporate network, the PC would automatically use WPAD to discover proxies when it connected to a public Wi-Fi hotspot.

The protocol is currently supported on all web browsers, as well as the Windows, Mac and Linux operating systems, and iOS and Android, but only Windows has WPAD enabled by default.

WPAD exposes all your online services to hackers

Although the WPAD protocol is undoubtedly useful, it can easily be hijacked so that hackers can see sensitive information that appears on a user's web browser, and there have been countless problems with the protocol in the past, and fixes have not really solved the problem.

Researchers from UK-based Context Information Security (CIS) have found a new problem – WPAD can be hijacked to leak all URLs on a secure HTTPS connection, meaning that hackers could easily steal information from your online accounts like Facebook, Twitter, Gmail and Google Drive, particularly if you routinely keep your accounts logged in on your web browser so that you can instantly access services the next time you turn on your computer.

The researchers describe an attack whereby a malicious Javascript and a malicious PAC script enable hackers to access HTTPS URLs and command responses via DNSContext Information Security

HTTPS is meant to be encrypted web traffic and is now used by most websites and retailers, so even if there is a rogue web proxy that can hijack the WPAD protocol, the hacker still shouldn't be able to see what a user is doing in their web browser because full HTTPS URLs are hidden.

However, according to CSO, researchers Alex Chapman and Paul Stone found that they could create a Python script whereby the PAC file that tries to discover the correct web proxy for the URL is also able to force the computer to check what the exact URL is. And if you can look up the complete HTTPS URL, this means that you can see the hidden authentication tokens and other sensitive parameters, and then use them to login to almost any online service.

Chapman and Stone also created another attack, whereby they used a rogue web proxy to redirect victims to fake captive portal pages (for example, the login page you often have to fill in before you're allowed to use a hotel or café's Wi-Fi network).

When the user tries to load popular web services like Facebook, Google or Twitter, the captive portal forces the web browser to perform a 302 HTTP redirect on all URLs that can only be accessed once you have authenticated your identity.

Using the attack, the researchers were able to expose all of a victim's usernames across multiple services, steal photos from their Facebook account and even look at all email summaries, contact details and reminders in their Google accounts, as well as access all documents stored in the victim's Google Drive.

If you want to disable WPAD permanently to prevent your computer being hijacked follow our step-by-step guide.