Web Proxy Auto-Discovery (WPAD) gives organizations a way to automatically configure a proxy server on your system. Windows enables this setting by default. Here’s why that’s a problem.
WPAD is really useful when an organization like your company or school needs to configure a proxy server for your connection to their network. It saves you from having to set things up yourself. However, WPAD can cause problems should you connect to a malicious public Wi-FI network. With WPAD enabled, that Wi-Fi network can automatically configure a proxy server in Windows. All your web browsing traffic would be routed through the proxy server while you’re connected to the Wi-Fi network—potentially exposing sensitive data. Most operating systems support WPAD. The problem is that in Windows, WPAD is enabled by default. It’s a potentially dangerous setting, and it should not be enabled unless you really need it.
Proxy servers—not to be confused with virtual private networks (VPNs)—are sometimes required to browse the web on some business or school networks. When you configure a proxy server on your system, your system will send your browsing traffic through the proxy server rather than directly to the websites you visit. This allows organizations to perform web filtering and caching, and may be necessary to bypass the firewalls on some networks.
The WPAD protocol is designed to allow organizations to easily provide proxy settings to all devices that connect to the network. The organization can place a WPAD configuration file in a standard place, and when WPAD is enabled, your computer or other device checks to see if there’s WPAD proxy information provided by the network. Your device then automatically uses whatever settings the proxy auto-configuration (PAC) file provides, sending all traffic on the current network through the proxy server.
While WPAD might be a useful feature on some business and school networks, it can cause big problems on public Wi-Fi networks. You don’t want your computer to automatically configure a proxy server when you connect to a public Wi-Fi network in a coffee shop, airport, or hotel.
That’s why most operating systems disable WPAD by default. iOS, macOS, Linux, and Chrome OS all support WPAD, but it is turned off out of the box. You have to enable WPAD if you want your device to automatically discover proxy settings.
This is not true on Windows. Windows enables WPAD by default, so it will automatically configure the proxy server settings provided by any network you connect to.
If your system is configured to use a dangerous proxy by a malicious Wi-Fi network, your browsing could be vulnerable to snooping and other attacks.
HTTPS encryption normally helps protect the content of your browsing on sensitive websites. So, when you connect to your bank’s website, you might be redirected to an address like
https://your_bank.com/account?token=secret_authentication_token. Normally, anyone snooping on the network would just see that you’re connected to
https://your_bank.com and wouldn’t know the full address. But, if your PC is browsing through a proxy server, your computer tells your proxy server the full address, which could contain potentially sensitive information.
The proxy server could also modify web pages you access. Even if you’re accessing secure HTTPS pages that the proxy can’t tamper with, the proxy server could redirect you to fake login pages in an attempt to capture your passwords and other sensitive details. The attackers could also steal OAUTH authentication tokens, which are used to sign into other websites by using your Google, Facebook, or Twitter user credentials.
This isn’t just a theoretical risk. Security researchers demonstrated WPAD attacks at DEF CON 24 in the summer of 2016. We haven’t seen any reports of this attack being used in the wild, but it’s still a risk.
On Windows 10, you’ll find this option under Settings > Network & Internet > Proxy. On Windows 8, the same screen is available at PC Settings > Network Proxy. Just turn the “Automatically detect settings” option off to disable WPAD.
On Windows 7, you can disable WPAD through the Internet Options window. Head to Control Panel > Network and Internet > Internet Options. Note that you can also use this method on Windows 8 or 10, if you like.
In the “Internet Properties” window, switch to the “Connections” tab and click the “LAN settings” button.
In the “Local Area Network (LAN) Settings” window, clear the “Automatically detect settings” check box, and then click “OK” twice to save your settings.
Even if you do need to use a proxy, you’ll be more secure if you specify the precise address to an automatic proxy configuration script (also known as a .PAC file) or manually enter your proxy server details. You won’t be relying on WPAD, which could allow your proxy settings to be hijacked on public Wi-Fi networks.