Flaws in the implementation of proxy authentication procedures in various products allow an attacker to gain access to all HTTP and HTTPS traffic from victim

Jerry Decime, a researcher has revealed a new vulnerability in implementation of proxy authentication procedures employed by most of the companies, which, if exploited may lead to compromise of all the user’s online behavior . Even HTTPS traffic can be intercepted.

The root of this flaw resides in the way proxy authentication is performed. This kind of authentication is a backbone for organizations that deploy a strong firewall. An attacker, who is placed inside the network and can sniff the proxy traffic, can force the user(s) for unnecessary logins and thus collecting their credentials.

How It Works:

Suppose your organization has a security implementation that requires users to log in to a proxy server before they can access the internet. Now, if a malicious insider has placed [him/her]self as a Man-In-The-Middle,(s)he can listen to all the traffic between the victim and the proxy server. This can be achieved by numerous ways. One way is ARP Spoofing.

The attacker passes the requests and responses(HTTP is request/response based protocol) made prior to authentication. And after authentication is done, the attacker waits for the victim to access a sensitive account e.g. an E-mail account or Facebook account . Since HTTP CONNECT requests are unencrypted, attacker easily identifies if such a request is made. Then it may present the victim with a login page.



The victim submits his/her credentials unaware of what is happening within the network. This attack is successful against any website, whether it uses https or not.

Are some people more vulnerable than others?

Yes! the success of this attack also depends on the client side architecture. For example , if your browser is based on WebKit browser engine , then you are at a greater risk(you can be hacked for accounts you didn’t even try to access)

“WebKit-based clients are vulnerable to additional vectors due to the fact that HTML markup and JavaScript are rendered by the client Document Object Model (DOM) in the context of the originally requested HTTPS domain,” a US-CERT alert reads.

WebKit is used for software such as Chrome, iTunes, Google Drive, Safari, and many mobile applications.

Multiple software vendors deploy applications that can handle proxy connections. Until now, Apple, Microsoft, Oracle, and Opera have acknowledged their products are affected. Lenovo has said this bug does not impact its software.

Other software vendors that are still evaluating the FalseCONNECT bug and may be affected include multiple Linux distros, Cisco, Google, HP, IBM, Juniper, Mozilla, Nokia, OpenBSD, SAP, Sony, and others.

Technical details about this flaw can be found on a dedicated website. US-CERT has also issued an alert, in which users can track vendor responses for the FalseCONNECT vulnerability.