I am a security researcher and hacking enthusiast. I was born in Kunming, a city in China known for its eternal spring. Currently, I am pursuing a PhD under the supervision of Prof. Wing Cheong Lau. Before that, I obtained BSc in Mathematics from the same university. My recent research interests are in mobile system and application (in)security, especially about authentication and authorization issues. Some of my works were published in academic conferences like USENIX and NDSS, and some were presented in hacking conferences like Black Hat.
I have been a fan of CTF and bug bounty. From time to time, I wish I could have spent more time on them, be smarter, and be one of those cool kids. Except for not being cool enough, I’m pretty happy with my daily research and life. Finding vulnerabilities is what makes me most excited, and coding is what I usually do when I’m bored.
Nowadays, most mobile devices are equipped with various hardware interfaces such as touchscreen, fingerprint scanner, camera and microphone to capture inputs from the user. Many mobile apps use these physical interfaces to receive user-input for authentication/authorization operations including one-click login, fingerprint-based payment approval, and face/voice unlocking. In this paper, we investigate the so-called PHYjacking attack where a victim is misled by a zero-permission malicious app to feed physical inputs to different hardware interfaces on a mobile device to result in unintended authorization. We analyze the protection mechanisms in Android for different types of physical input interfaces and introduce new techniques to bypass them. Specifically, we identify weaknesses in the existing protection schemes for the related system APIs and observe common pitfalls when apps implement physical-input-based authorization. Worse still, we discover a race-condition bug in Android that can be exploited even when app-based mitigations are properly implemented. Based on these findings, we introduce fingerprint-jacking and facejacking techniques and demonstrate their impact on real apps. We also discuss the feasibility of launching similar attacks against NFC and microphone inputs, as well as effective tapjacking attacks against Single Sign-On apps. We have designed a static analyzer to examine 3000+ real-world apps and find 44% of them contain PHYjacking-related implementation flaws. We demonstrate the practicality and potential impact of PHYjacking via proof-of-concept implementations which enable unauthorized money transfer on a payment app with over 800 million users, user-privacy leak from a social media app with over 400 million users and escalating app permissions in Android 11.
@article{Wang2022PHYjackingPI,title={PHYjacking: Physical Input Hijacking for Zero-Permission Authorization Attacks on Android},author={Wang, Xianbo and Shi, Shangcheng and Chen, Yikang and Lau, Wing Cheong},journal={Proceedings Network and Distributed System Security Symposium},year={2022},}
USENIX
Scalable Detection of Promotional Website Defacements in Black Hat {SEO} Campaigns
Ronghai Yang*, Xianbo Wang*, Cheng Chi, and 4 more authors
* indicates equal contribution
In 30th USENIX Security Symposium (USENIX Security 21), 2021
Miscreants from online underground economies regularly exploit website vulnerabilities and inject fraudulent content into victim web pages to promote illicit goods and services. Scalable detection of such promotional website defacements remains an open problem despite their prevalence in Black Hat Search Engine Optimization (SEO) campaigns. Adversaries often manage to inject content in a stealthy manner by obfuscating the description of illicit products and/or the presence of defacements to make them undetectable. In this paper, we design and implement DMoS—a Defacement Monitoring System which protects websites from promotional defacements at scale. Our design is based on two key observations: Firstly, for effective advertising, the obfuscated jargons of illicit goods or services need to be easily understood by their target customers (i.e., sharing similar shape or pronunciation). Secondly, to promote the underground business, the defacements are crafted to boost search engine ranking of the defaced web pages while trying to stay stealthy from the maintainers and legitimate users of the compromised websites. Leveraging these insights, we first follow the human convention and design a jargon normalization algorithm to map obfuscated jargons to their original forms. We then develop a tag embedding mechanism, which enables DMoS to focus more on those not-so-visually-obvious, yet site-ranking influential HTML tags (i.e., title, meta). Consequently, DMoS can reliably detect illicit content hidden in compromised web pages. In particular, we have deployed DMoS as a cloud-based monitoring service for a five-month trial run. It has analyzed more than 38 million web pages across 7000+ commercial Chinese websites and found defacements in 11% of these websites. It achieves a recall over 99% with a precision about 89%. While the original design of DMoS focuses on the detection of Chinese promotional defacements, we have extended the system and demonstrated its applicability for English website defacement detection via proof-of-concept experiments.
@inproceedings{yang2021scalable,title={Scalable Detection of Promotional Website Defacements in Black Hat $\{$SEO$\}$ Campaigns},author={Yang*, Ronghai and Wang*, Xianbo and Chi, Cheng and Wang, Dawei and He, Jiawei and Pang, Siming and Lau, Wing Cheong},booktitle={30th USENIX Security Symposium (USENIX Security 21)},pages={3703--3720},year={2021},equal={true},}
Black Hat
Make Redirection Evil Again: URL Parser Issues in OAuth
Xianbo Wang, Shangcheng Shi, Ronghai Yang, and 1 more author
Since 2012, OAuth 2.0 has been widely deployed by online service providers worldwide. Security-related headlines related to OAuth showed up from time to time, and most problems were caused by incorrect implementations of the protocol. The User-Agent Redirection mechanism in OAuth is one of the weaker links as it is difficult for developers and operators to realize, understand and implement all the subtle but critical requirements properly. In this talk, we begin by tracing the history of the security community’s understanding of OAuth redirection threats. The resultant evolution of the OAuth specification, as well as the best current practice on its implementation, will also be discussed. We then introduce new OAuth redirection attack techniques which exploit the interaction of URL parsing problems with redirection handling in mainstream browsers or mobile apps. In particular, some attacks leverage our newly discovered URL interpretation bugs in mainstream browsers or Android platform (The latter were independently discovered and have been patched recently). Our empirical study on 50 OAuth service providers worldwide found that numerous top-tiered providers with over 10,000 OAuth client apps and 10’s of millions of end-users are vulnerable to this new attack with severe impact. In particular, it enables the attacker to hijack 3rd party (Relying party) application accounts, gain access to sensitive private information, or even perform privileged actions on behalf of the victim users.
@article{RedirectionBH2019,title={Make Redirection Evil Again: URL Parser Issues in OAuth},author={Wang, Xianbo and Shi, Shangcheng and Yang, Ronghai and Lau, Wing Cheong},journal={Black Hat Asia Briefings},year={2019},}
You can even add a little note about which of these is the best way to reach you.
