How I Accidentally Discovered a Network Security Vulnerability and Protected the Internet in Serbia (and Beyond) by Purchasing the WPAD.rs Domain!

This is the story of how a few clicks and a bit of code allowed me to close potential doors to cyber-attacks and make the internet a safer place—all through the seemingly harmless purchase of the WPAD.rs domain. 🎉

How It All Started

While exploring cybersecurity, I became intrigued by a vulnerability known as the WPAD protocol (Web Proxy Auto-Discovery), a tool designed to help devices automatically discover proxy servers to manage internet traffic. But in the wrong hands, WPAD opens the door for hackers to monitor and manipulate online traffic.

The Moment of Discovery

Out of curiosity, I checked to see if the WPAD.rs domain was available, and to my surprise, it was! Understanding the potential risk, I quickly purchased the domain. With this small acquisition, I was able to offer a major layer of protection for users.

How a WPAD Attack Works

Imagine that every time your device connects to the internet, it looks for “instructions”—like a map. Typically, these instructions direct the device securely. However, if WPAD falls into the wrong hands, hackers could provide a “false map,” redirecting your connection through their server. This gives them a chance to monitor and control everything you do online. 🕵️‍♂️

Who Was at Risk?

• Ordinary Users: Hackers could intercept passwords and private information as users connect online.

• Businesses: Hackers could monitor internal emails, business plans, and transactions.

• Government Institutions: Hackers could potentially alter or steal sensitive citizen data.

What I Did to Secure WPAD.rs

After securing ownership of the domain, I set up a specific file, wpad.dat, containing a simple function:

function FindProxyForURL(url, host) {
    return "DIRECT";
}

This directs all connected devices to access the internet directly, without a proxy, ensuring no rerouting or tracking through the domain.

How Serious Is the Threat?

In October, Cybersecurity Month, I aimed to contribute by securing WPAD.rs. This vulnerability is not just a local threat—devices connected to networks using a .rs DNS name could be affected, no matter where they are located.

How to Prevent Such Attacks in the Future

1. Ethical Ownership: The domain must be controlled by a responsible entity.

2. Institutional Control: Agencies like RNIDS or the Serbian Cybercrime Unit could regulate this domain.

Offering WPAD.rs to Responsible Authorities

As the owner of WPAD.rs, I understand its importance for network security. If Serbian authorities, like RNIDS or the Cybercrime Unit, deem it necessary for national security, I am willing to hand over control of WPAD.rs.

And, of course, “If they remember me on Cybersecurity Day, they remember me. If not, no big deal—it was my duty.” 😊

For more on WPAD attacks and how I’ve helped secure internet safety, visit https://wpad.rs. 🌍

What is a WPAD Attack?

Imagine the following situation: you’re using a computer at home, work, or a public place like a cafe. For your computer to connect to the internet, it needs guidance — a sort of map. Under normal circumstances, it receives a valid map that tells it how to reach the internet and which servers to pass through. But in a WPAD attack, a hacker provides your computer with a fake map. This false map reroutes all your internet traffic through the hacker’s server, allowing the hacker to monitor everything you do online.

Who Can Be at Risk?

Everyday Users: Imagine browsing the internet from home. A hacker could intercept your passwords as you enter them, such as when logging into social media or email accounts. They could also see all the messages and data you send or receive. Public Wi-Fi (like in a cafe) makes you even more vulnerable, as the hacker can easily redirect traffic through their equipment, almost as if they’re watching through a window as you use your computer.

Government Institutions: Imagine working in a government office, handling sensitive citizen data. A hacker could redirect your institution’s internet traffic, silently spying on confidential information. For example, they might track data on citizens’ personal information, leading to identity theft. In more extreme cases, they could try to alter your data on government servers if they infiltrate deeper into the system without detection.

Businesses and Companies: Imagine your company relies on the internet for daily operations, including finances, internal emails, and client communications. If a hacker takes control through a WPAD attack, they could intercept internal data, employee passwords, business plans, and even jeopardize financial transactions. They might also access company systems to alter vital information or cause disruptions that halt operations.

What Damage Can a Hacker Do?

Identity Theft: If a hacker intercepts your passwords and personal details, they could impersonate you. This means they could take control of your social media accounts, emails, and even online shopping accounts where you saved payment cards.

Purchases in Your Name: With access to your data, a hacker could exploit your accounts on shopping sites and place orders in your name. They might also gain access to your card numbers, which is highly dangerous.

Access to Business Secrets: In a company attack, a hacker could reach sensitive business information like contracts, plans, and financials. They might even disable the company’s systems, costing money and harming reputation.

Ownership of WPAD.rs Domain in This Attack Cycle

Owning the WPAD.rs domain plays a key role in these attacks. Think of the WPAD domain as a gateway where computers look for instructions on how to connect to the internet. If someone malicious gains control over the WPAD.rs domain, they could set up malicious files that deceive devices in Serbia and reroute them through a hacker’s server. This would mean thousands of devices connecting to the network could be redirected and hacked without users ever knowing.

As the owner of WPAD.rs, I control what instructions the WPAD domain gives to computers in Serbia — whether they receive valid information or malicious data. For this reason, it’s crucial that WPAD.rs remains under the control of a trusted and responsible entity, preventing it from becoming a tool for mass attacks.

Is This an Individual or Mass Attack?

A WPAD attack can reach massive proportions. If a hacker gains control over the WPAD.rs domain, they could affect thousands or even hundreds of thousands of devices connecting to networks in Serbia.

This is a large-scale attack, rated 90-100 on a scale of 1-100, as it impacts the country’s entire network infrastructure, not just individual users. This attack is dangerous because it operates “silently.” Often, users don’t realize they’ve been hacked until it’s too late — after data has been stolen, altered, or misused.

A WPAD attack is not a minor threat but one that can endanger regular users, businesses, and even government institutions. Control over the WPAD domain is essential, as it dictates the path all internet traffic follows. If a malicious hacker seizes control of WPAD.rs, they can silently monitor, manipulate, and even fully compromise networks across Serbia.

SentinelOne explains how attackers exploit the WPAD protocol to redirect internet traffic through a fake proxy server, jeopardizing user data. This attack can go on for months or even years if left undetected. Source

Praetorian details how WPAD-based attacks allow interception of traffic and theft of authentication data. The attack can reach global proportions, especially if attackers succeed in registering an appropriate WPAD domain, such as wpad.rs. Source

CISA (Cybersecurity and Infrastructure Security Agency) provides an overview of how attackers use vulnerabilities in the WPAD protocol for “man-in-the-middle” (MitM) attacks, which can result in intercepted communications across companies, government institutions, and even home networks. Source