Capturing Authentication Credentials

There are many issues with using proxy servers, however one of the biggest concerns is those which use basic authentication.  It is extremely important that a proxy configured with such authentication does not forward the Proxy_Authorization: header to any origin server.  If this happens it is a simple task to intercepts this header, gain access to the user’s name and password and ultimately access to the proxy server itself.  Basic Authentication does not involve encryption so they are transmitted in clear text so are exceptionally vulnerable.

It might be that this user name and password allows minimal rights however there is a much bigger issue.  Many users, will reuse their username and password for other functions.  The password that allows minimal access to an unimportant proxy server will often allow access to the users email, online banking and Paypal account.  Identity thieves always value usernames and passwords of any sort even on unimportant services like forums, the reality is that they often allow access to more important services.

Although you can stop authentication credentials for the proxy being forwarded on, this does not apply to usernames and passwords intended to the final destination.  In fact this is the reason many hacked proxies are made available online by hackers – they want to intercept your credentials.  This is why people who constantly searching for new proxies are putting themselves and their personal data at great risk.  They may think that they saved themselves a few bucks by relaying their connection through an Australian proxy to watch ABC iView, but in reality they may actually find their bank account cleared out by the administrator of the server.

In reality there is no practical solution to protecting your data via an untrusted proxy server.  Even using SSL does not completely help as there are various MiM attacks on SSL sessions which can be implemented if you can manipulate the connection via a proxy server.  The only solution is to never use a third party untrusted proxy server for anything

Source :