Please handle this report with upmost care, Chrome is not the only product vulnerable for this behavior. Coordinated disclosure is required.

VULNERABILITY DETAILS
WPAD (autoconfiguration) and proxy.pac behavior allows an attacker on the same network to intercept all full paths & GET Data of every HTTPS request made through Chrome (and other software).

The root-issue seems to be that for HTTPS requests, the full url including the path & parameters is passed to FindProxyForURL() which can be exfiltrated by using forced DNS resolutions using dnsResolve(). The POC automaticly encodes the URL's to a format transferable over DNS. 

VERSION
Chrome Version: 51.0.2704.63 m , most likely all versions with support for WPAD.
Operating System: Various, including windows 8, 10

REPRODUCTION CASE
Attached are a wpad.dat and proxy.pac provisioning file. Both will work either staticly configured or served on http://wpad/wpad.dat or configured via DHCP. 
For easy reproduction, you can also run chrome.exe --proxy-pac-url="file:///D:\proxy.pac"

A video demonstrating the issue can be found here: https://www.youtube.com/watch?v=_jh1A0tA4PI
The POC shows how a victious password reset link at 'https://www.google.com/passwordresettoken=pocexample' could be intercepted.



I came accross this issue when thinkering with WPAD after seeing https://www.us-cert.gov/ncas/alerts/TA16-144A this vulnerability, and realising that wasn't the scariest part about it all.
Please note that combined with ^ that issue, this could remotely breach HTTPS on carrier/ISP level.

I have not yet found how many products and operating systems are vulnerable, but this seems to be a VERY widespread issue. I'd like to ask your help to coordinate this disclosure to other parties (e.g other browser vendors).

Feel free to contact me for more info or help with reproducing the issue.

Cheers! 




 

Deleted: wpad.dat 2.2 KB

wpad.dat 2.2 KB Download

Deleted: poc.pac 2.2 KB

poc.pac 2.2 KB Download