Executive Summary

Title Proxy auto-config (PAC) files have access to full HTTPS URLs
Name VU#877625 First vendor Publication 2016-08-04
Vendor VU-CERT Last vendor Modification 2016-08-30
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#877625

Proxy auto-config (PAC) files have access to full HTTPS URLs

Original Release date: 04 Aug 2016 | Last revised: 30 Aug 2016


Web proxy auto-config (PAC) files are passed the full HTTPS URL in GET requests which may expose sensitive data.


CWE-212: Improper Cross-boundary Removal of Sensitive Data - CVE-2016-5134 (Google), CVE-2016-1801 (Apple)

Web proxy auto-configuration files (proxy.pac) have access to the full URL including the path and parameters in HTTPS GET requests, which may expose sensitive data intended to be protected by HTTPS. This information is passed to the FindProxyForURL() function in the proxy.pac. The PAC file is often retrieved by the browser automatically using the WPAD protocol. An attacker in the position to conduct man-in-the-middle attacks may provide a malicious PAC file capable of exploiting the FindProxyForURL() function to exfiltrate sensitive data.


An attacker who can provide a specially crafted PAC file can read URLs, including the path and query string, which may contain sensitive information intended to be protected by HTTPS.


Apply an update.

Apply the latest updates to your browser, see Vendor Information section below.

Users who are unable to or do not wish to update their browsers should consider the following workaround.

Disable WPAD.

If proxy auto-configuration is not necessary, consider disabling WPAD functionality for your browser.

Vendor Information (Learn More)

This vendors listed below are suspected to be affected by the vulnerability. Other browser vendors not listed may be affected as well. The CERT/CC has no further evidence that any particular vendor is impacted unless marked Affected; vendors are encouraged to reach out to us to clarify their status.

VendorStatusDate NotifiedDate Updated
AppleAffected27 Jul 201604 Aug 2016
GoogleAffected27 Jul 201604 Aug 2016
MozillaAffected27 Jul 201604 Aug 2016
OperaAffected27 Jul 201604 Aug 2016
Microsoft CorporationNot Affected27 Jul 201630 Aug 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)



  • http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html
  • https://support.apple.com/en-us/HT206568


Thanks to Bas Venis for reporting this vulnerability. We also would like to thank Itzik Kotler and Amit Klien for their presentation at Black Hat 2016, and Alex Chapman and Paul Stone for their presentation at DEF CON 24

This document was written by Trent Novelly.

Other Information

  • CVE IDs:CVE-2016-5134CVE-2016-1801
  • Date Public:04 Aug 2016
  • Date First Published:04 Aug 2016
  • Date Last Updated:30 Aug 2016
  • Document Revision:20


If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/877625

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-200 Information Exposure

CPE : Common Platform Enumeration

Application 2
Application 3950