Xianbo Wang

Ph.D. Candidate at MobiTeC Lab, The Chinese University of Hong Kong.

prof_pic.jpg

I am a security researcher and hacking enthusiast. I was born in Kunming, a city in China known for its eternal spring. Currently, I am pursuing a PhD under the supervision of Prof. Wing Cheong Lau. Before that, I obtained BSc in Mathematics from the same university. My recent research interests are in mobile system and application (in)security, especially about authentication and authorization issues. Some of my works were published in academic conferences like USENIX, CCS, and NDSS, and some were presented in hacking conferences like Black Hat.

I have been a fan of CTF and bug bounty. From time to time, I wish I could have spent more time on them, be smarter, and be one of those cool hackers. Except for not being cool enough, I’m pretty happy with my daily research and life. Finding vulnerabilities is what makes me most excited, and coding is what I usually do when I’m bored.

news

Jun 1, 2024 Two consecutive years as Black Hat USA speaker! This year our talk is about OAuth attacks.
Jan 10, 2024 Our Black Hat USA 2023 talk about hacking mobile face recognition SDKs is available online now.
May 4, 2022 A PHYjacking related vulnerability we reported to Android was patched as CVE-2022-20007.
Dec 14, 2021 Our PHYjacking paper was accepted in NDSS 2022.

selected publications

  1. Black Hat
    One Hack to Rule Them All: Pervasive Account Takeovers in Integration Platforms for Workflow Automation, Virtual Voice Assistant, IoT, & LLM Services
    Kaixuan Luo, Xianbo Wang, Adonis Fung, and 2 more authors
    Black Hat USA Briefings, 2024
  2. CCS
    SWIDE: A Semantic-aware Detection Engine for Successful Web Injection Attacks
    Ronghai Yang*, Xianbo Wang*, Kaixuan Luo, and 4 more authors
    * indicates equal contribution
    Proceedings ACM Conference on Computer and Communications Security (CCS), 2024
  3. Black Hat
    The Living Dead: Hacking Mobile Face Recognition SDKs with Non-Deepfake Attacks
    Xianbo Wang, Kaixuan Luo, and Wing Cheong Lau
    Black Hat USA Briefings, 2023
  4. NDSS
    PHYjacking: Physical Input Hijacking for Zero-Permission Authorization Attacks on Android
    Xianbo Wang, Shangcheng Shi, Yikang Chen, and 1 more author
    Proceedings Network and Distributed System Security Symposium, 2022
  5. USENIX
    Scalable Detection of Promotional Website Defacements in Black Hat {SEO} Campaigns
    Ronghai Yang*, Xianbo Wang*, Cheng Chi, and 4 more authors
    * indicates equal contribution
    In 30th USENIX Security Symposium (USENIX Security 21), 2021
  6. Black Hat
    Make Redirection Evil Again: URL Parser Issues in OAuth
    Xianbo Wang, Shangcheng Shi, Ronghai Yang, and 1 more author
    Black Hat Asia Briefings, 2019