Xianbo Wang

I am a security researcher and hacking enthusiast. I was born in Kunming, a city in China known for its eternal spring. I obtained my PhD in 2025 under the supervision of Prof. Wing Cheong Lau. Before that, I obtained BSc in Mathematics from the same university. My recent research interests are in mobile system and application (in)security, especially about authentication and authorization issues. Some of my works were published in academic conferences like USENIX, CCS, and NDSS, and some were presented in hacking conferences like Black Hat.

I have been a fan of CTF and bug bounty. From time to time, I wish I could have spent more time on them, be smarter, and be one of those cool hackers. Except for not being cool enough, I’m pretty happy with my daily research and life. Finding vulnerabilities is what makes me most excited, and coding is what I usually do when I’m bored.

news

Feb 28, 2026	Our paper “Demystifying the (In)Security of OAuth-based Account Linking in Connector Ecosystems” has been accepted to IEEE S&P 2026!
Aug 30, 2025	Congrats to myself for graduating and obtaining my Ph.D. degree! (Luckily) not looking for jobs.

selected publications

IEEE S&P

Demystifying the (In)Security of OAuth-based Account Linking in Connector Ecosystems

Kaixuan Luo, Xianbo Wang, Pui Ho Adonis Fung, and 1 more author

47th IEEE Symposium on Security and Privacy (IEEE S&P 2026), 2026

Bib

@article{LuoAccountLinkingSP,
  title = {Demystifying the (In)Security of OAuth-based Account Linking in Connector Ecosystems},
  author = {Luo, Kaixuan and Wang, Xianbo and Fung, Pui Ho Adonis and Lau, Wing Cheong},
  journal = {47th IEEE Symposium on Security and Privacy (IEEE S&P 2026)},
  year = {2026},
}

Black Hat
Back to the Future: Hacking and Securing Connection-based OAuth Architectures in Agentic AI and Integration Platforms

Kaixuan Luo, Xianbo Wang, Adonis Fung, and 2 more authors

Black Hat USA Briefings, 2025

Abs Bib Slides Website Video

Access delegation is indispensable for Agentic AI and Integration Platforms, where orchestration engines (e.g., Microsoft Power Automate, Copilot Studio) obtain access tokens from 3rd-party providers to act on behalf of end-users or authenticate end-users across chat channels. To better support these new use cases, there is a growing trend to offload token retrieval and lifecycle management to a separate cloud-based service (a.k.a. Credential Manager, Token Store), which enables developers to streamline "access re-delegation" when building AI agents and low-code solutions. Different home-grown variants of OAuth have emerged to support such access re-delegation architecture.
Unlike the traditional OAuth setup, re-delegation centralizes token handling via a dedicated OAuth Token Service (a.k.a. OAuth-as-a-Service), which introduces an abstract "OAuth connection". This connection provides an application a pre-configured handle for a managed OAuth token, outsourcing token negotiations with the OAuth Authorization Server to the Token Service. Unlike "Broker" architectures that chain together two OAuth flows (authorization server-broker and broker-application), under the new connection-based OAuth architecture, applications acquire and utilize tokens through proprietary "OAuth connections" instead.
We have found that such a proprietary approach often reintroduces critical new vulnerabilities previously mitigated by OAuth standards. In this talk, we explain how classic web vulnerabilities like Session Fixation, Open Redirect, Confused Deputy, XSS, and Cross-window Communication attacks have re-manifested themselves or been amplified within these proprietary, yet increasingly-common, connection-based OAuth architectures. Through practical exploits of these vulnerabilities, attackers can take over well-authenticated AI agents or gain unauthorized access to arbitrary integrations, all without explicit user consent.
Using Microsoft as a case study, we illustrate how connection-based OAuth architectures are adopted in Azure, Power Platform, and Copilot Studio. We systematize the attack surface and highlight how Microsoft’s case reflects the good, the bad and the ugly across the industry, revealing systemic issues shared by other vendors such as Composio and ByteDance Coze.
Attendees will walk away with an attacker’s mindset and actionable best practices in building a hardened auth layer for AI agents and integrations.
@article{LuoOAuthBH2025, title = {Back to the Future: Hacking and Securing Connection-based OAuth Architectures in Agentic AI and Integration Platforms}, author = {Luo, Kaixuan and Wang, Xianbo and Fung, Adonis and Bi, Yanxiang and Lau, Wing Cheong}, journal = {Black Hat USA Briefings}, year = {2025}, video = {https://www.youtube.com/watch?v=__NtTfL0oPw}, }
USENIX
Universal Cross-app Attacks: Exploiting and Securing OAuth 2.0 in Integration Platforms

Kaixuan Luo, Xianbo Wang, Pui Ho Adonis Fung, and 2 more authors

34th USENIX Security Symposium (USENIX Security 25), 2025

Abs Bib PDF Website

Integration Platforms such as Workflow Automation Platforms, Virtual Assistants and Smart Homes are becoming an integral part of the Internet. These platforms welcome third-parties to develop and distribute apps in their open marketplaces, and support "account linking" to connect end-users’ app accounts to their platform account. This enables the platform to orchestrate a wide range of external services on behalf of the end-users. While OAuth is the de facto standard for account linking, the open nature of integration platforms poses new threats, as their OAuth architecture could be exploited by untrusted integrated apps.
In this paper, we examine the flawed designs of multi-app OAuth authorizations that support account linking in integration platforms. We unveil two new platform-wide attacks due to the lack of app differentiation: Cross-app OAuth Account Takeover (COAT) and Request Forgery (CORF). As long as a victim end-user establishes account linking with a malicious app, or potentially with just a click on a crafted link, they risk unauthorized access or privacy leakage of any apps on the platform.
To facilitate systematic discovery of vulnerabilities, we develop COVScan, a semi-automated black-box testing tool that profiles varied OAuth designs to identify cross-app vulnerabilities in real-world platforms. Our measurement study reveals that among 18 popular consumer- or enterprise-facing integration platforms, 11 are vulnerable to COAT and another 5 to CORF, including those built by Microsoft, Google and Amazon. The vulnerabilities render widespread impact, leading to unauthorized control over end-users’ services and devices, covert logging of sensitive information, and compromising a major ecosystem in single click (a CVE with CVSS 9.6). We responsibly reported the vulnerabilities and collaborated with the affected vendors to deploy comprehensive solutions.
@article{LuoUniversalUSENIX, title = {Universal Cross-app Attacks: Exploiting and Securing OAuth 2.0 in Integration Platforms}, author = {Luo, Kaixuan and Wang, Xianbo and Fung, Pui Ho Adonis and Lau, Wing Cheong and Lecomte, Julien}, journal = {34th USENIX Security Symposium (USENIX Security 25)}, year = {2025}, }
Black Hat
One Hack to Rule Them All: Pervasive Account Takeovers in Integration Platforms for Workflow Automation, Virtual Voice Assistant, IoT, & LLM Services

Kaixuan Luo, Xianbo Wang, Adonis Fung, and 2 more authors

Black Hat USA Briefings, 2024

Abs Bib

Integration Platforms for Workflow Automation (e.g., Microsoft Power Automate), Virtual Voice Assistants (e.g., Amazon Alexa), Smart Homes (e.g., Google Home), and Large Language Model (LLM) platforms supporting Plugins (e.g. OpenAI ChatGPT), are becoming essential in our personal and professional lives. However, we find many of these platforms vulnerable to a new class of authorization attacks. As one of their core functions, integration platforms support "Account Linking" to connect end-users’ accounts at third-party services/apps (e.g., Gmail, Dropbox) to their platform account. This enables the platform to utilize and orchestrate a wide range of external services on behalf of the end-user. For example, users can configure Microsoft Power Automate to automatically send an email whenever a new GitHub issue is filed. Multi-party authorizations are known to be error-prone and should have gone through strict security scrutiny. Yet, with our newly discovered attacks, we successfully exploit the account linking mechanisms of 24 out of 25 mainstream integration platforms, resulting in account takeovers or privacy leakage of integrated apps/services. In this talk, we unveil how top-tier vendors improperly realize OAuth-based account linking under the new context of Integration Platforms. The failure to verify bindings with both the intended platform user and active third-party service/app compromises the session integrity of account linking. We detail the technical aspects of 3 attacks on integration platforms’ authorization frameworks: two enable account takeovers, and one leads to forced account linking of arbitrary services/apps. Notably, most attacks have easy-to-satisfy preconditions and can often be reduced to 1-click attacks. For instance, an attacker can compromise victims’ Microsoft 365 suite or Azure services with their single click on an unassuming link (a CVE with CVSS 9.6). We also offer our comprehensive insights into best security practices and mitigations and highlight some vendors’ invalid remedial attempts for each identified threat, benefiting the wider community.
@article{LuoOAuthBH, title = {One Hack to Rule Them All: Pervasive Account Takeovers in Integration Platforms for Workflow Automation, Virtual Voice Assistant, IoT, & LLM Services}, author = {Luo, Kaixuan and Wang, Xianbo and Fung, Adonis and Lecomte, Julien and Lau, Wing Cheong}, journal = {Black Hat USA Briefings}, year = {2024}, }
CCS
SWIDE: A Semantic-aware Detection Engine for Successful Web Injection Attacks

Ronghai Yang*, Xianbo Wang*, Kaixuan Luo, and 4 more authors
* indicates equal contribution
Proceedings ACM Conference on Computer and Communications Security (CCS), 2024

Abs Bib Website

Web attacks, a primary vector for system breaches, pose a significant challenge within the cybersecurity landscape. The growing intensity of web attack attempts has led to “alert fatigue” where enterprises are inundated by excessive alerts. Although extensive research is being conducted on automated methods for detecting web attacks, it remains an open problem to identify whether the attacks are successful. Towards this end, we present SWIDE (Successful Web Injection Detection Engine), an engine to pinpoint successful web injection attacks (e.g., PHP command injection, SQL injection). This enables enterprises to focus exclusively on those crucial threats. Our methodology builds on two insights: Firstly, while attackers tend to apply payload obfuscation techniques to evade detection, all successful web injection attacks must comply with the programming language syntax to be executable; Secondly, these attacks inevitably produce observable effects, such as returning execution result or creating backdoors for future access by the attacker. Consequently, we leverage advanced syntactic and semantic analysis to 1) detect malicious syntax features in obfuscated payloads and 2) perform semantic analysis of the payload to recover the intention of the attack. With a two-stage design, namely, attack identification and confirmation mechanisms, SWIDE can accurately identify successful attacks, even amidst intricate obfuscations. Unlike proof-of-concept studies, SWIDE has been deployed and validated in real-world environments through collaborations with a cybersecurity firm. Serving 5,045 enterprise users, our system identifies that roughly 15% of enterprises have suffered from successful attacks on a weekly basis - an alarmingly high rate. Moreover, we perform a detailed analysis of six months’ data and discover 60 zero-day vulnerabilities exploited in the wild, including 12 high-risk ones acknowledged by relevant authorities. These findings underscore the practical effectiveness of SWIDE.
@article{swide, title = {SWIDE: A Semantic-aware Detection Engine for Successful Web Injection Attacks}, author = {Yang*, Ronghai and Wang*, Xianbo and Luo, Kaixuan and Lei, Xin and Li, Ke and Lin, Jiayuan and Lau, Wing Cheong}, journal = {Proceedings ACM Conference on Computer and Communications Security (CCS)}, year = {2024}, equal = {true}, }
Black Hat
The Living Dead: Hacking Mobile Face Recognition SDKs with Non-Deepfake Attacks

Xianbo Wang, Kaixuan Luo, and Wing Cheong Lau

Black Hat USA Briefings, 2023

Abs Bib Website Video

Face recognition is increasingly popular in mobile apps, especially for critical tasks like opening a bank account. To prevent identity spoof using injected images, liveness detection is crucial. This is particularly important due to the widespread availability of stolen identity documents and selfies on the black market. While many researchers have studied deepfake or presentation attacks that target machine learning models, few have addressed the protocol design or implementation issues in face recognition systems that can enable low-cost and easy-to-scale attacks. Starting from several real-world incidents of non-deepfake attacks, we will delve into the technical aspect of mobile face recognition spoofing. Our analysis of 18 mobile face recognition libraries, including those from industry leaders, reveals their security flaws that can result in liveness detection bypasses. After scanning more than 18,000 apps, we discovered approximately 1,000 apps that had face recognition libraries and a total of 100 million downloads. We conducted proof-of-concept identity forgery attacks against several popular apps. Without presenting in camera, we were able to complete identity verification by using only static photos of the "victim". Finally, we will provide reference protocol for secure face recognition systems in mobile apps, along with security caveats for implementation. With this talk, we hope to draw the community’s attention back on to the system security in the era of AI.
@article{LivingDeadBHUSA, title = {The Living Dead: Hacking Mobile Face Recognition SDKs with Non-Deepfake Attacks}, author = {Wang, Xianbo and Luo, Kaixuan and Lau, Wing Cheong}, journal = {Black Hat USA Briefings}, year = {2023}, video = {https://www.youtube.com/watch?v=nPE2AjNB2sI}, }
NDSS
PHYjacking: Physical Input Hijacking for Zero-Permission Authorization Attacks on Android

Xianbo Wang, Shangcheng Shi, Yikang Chen, and 1 more author

Proceedings Network and Distributed System Security Symposium, 2022

Abs Bib PDF Website

Nowadays, most mobile devices are equipped with various hardware interfaces such as touchscreen, fingerprint scanner, camera and microphone to capture inputs from the user. Many mobile apps use these physical interfaces to receive user-input for authentication/authorization operations including one-click login, fingerprint-based payment approval, and face/voice unlocking. In this paper, we investigate the so-called PHYjacking attack where a victim is misled by a zero-permission malicious app to feed physical inputs to different hardware interfaces on a mobile device to result in unintended authorization. We analyze the protection mechanisms in Android for different types of physical input interfaces and introduce new techniques to bypass them. Specifically, we identify weaknesses in the existing protection schemes for the related system APIs and observe common pitfalls when apps implement physical-input-based authorization. Worse still, we discover a race-condition bug in Android that can be exploited even when app-based mitigations are properly implemented. Based on these findings, we introduce fingerprint-jacking and facejacking techniques and demonstrate their impact on real apps. We also discuss the feasibility of launching similar attacks against NFC and microphone inputs, as well as effective tapjacking attacks against Single Sign-On apps. We have designed a static analyzer to examine 3000+ real-world apps and find 44% of them contain PHYjacking-related implementation flaws. We demonstrate the practicality and potential impact of PHYjacking via proof-of-concept implementations which enable unauthorized money transfer on a payment app with over 800 million users, user-privacy leak from a social media app with over 400 million users and escalating app permissions in Android 11.
@article{Wang2022PHYjackingPI, title = {PHYjacking: Physical Input Hijacking for Zero-Permission Authorization Attacks on Android}, author = {Wang, Xianbo and Shi, Shangcheng and Chen, Yikang and Lau, Wing Cheong}, journal = {Proceedings Network and Distributed System Security Symposium}, year = {2022}, }
USENIX
Scalable Detection of Promotional Website Defacements in Black Hat {SEO} Campaigns

Ronghai Yang*, Xianbo Wang*, Cheng Chi, and 4 more authors
* indicates equal contribution
In 30th USENIX Security Symposium (USENIX Security 21), 2021

Abs Bib PDF Slides

Miscreants from online underground economies regularly exploit website vulnerabilities and inject fraudulent content into victim web pages to promote illicit goods and services. Scalable detection of such promotional website defacements remains an open problem despite their prevalence in Black Hat Search Engine Optimization (SEO) campaigns. Adversaries often manage to inject content in a stealthy manner by obfuscating the description of illicit products and/or the presence of defacements to make them undetectable. In this paper, we design and implement DMoS—a Defacement Monitoring System which protects websites from promotional defacements at scale. Our design is based on two key observations: Firstly, for effective advertising, the obfuscated jargons of illicit goods or services need to be easily understood by their target customers (i.e., sharing similar shape or pronunciation). Secondly, to promote the underground business, the defacements are crafted to boost search engine ranking of the defaced web pages while trying to stay stealthy from the maintainers and legitimate users of the compromised websites. Leveraging these insights, we first follow the human convention and design a jargon normalization algorithm to map obfuscated jargons to their original forms. We then develop a tag embedding mechanism, which enables DMoS to focus more on those not-so-visually-obvious, yet site-ranking influential HTML tags (i.e., title, meta). Consequently, DMoS can reliably detect illicit content hidden in compromised web pages. In particular, we have deployed DMoS as a cloud-based monitoring service for a five-month trial run. It has analyzed more than 38 million web pages across 7000+ commercial Chinese websites and found defacements in 11% of these websites. It achieves a recall over 99% with a precision about 89%. While the original design of DMoS focuses on the detection of Chinese promotional defacements, we have extended the system and demonstrated its applicability for English website defacement detection via proof-of-concept experiments.
@inproceedings{yang2021scalable, title = {Scalable Detection of Promotional Website Defacements in Black Hat $\{$SEO$\}$ Campaigns}, author = {Yang*, Ronghai and Wang*, Xianbo and Chi, Cheng and Wang, Dawei and He, Jiawei and Pang, Siming and Lau, Wing Cheong}, booktitle = {30th USENIX Security Symposium (USENIX Security 21)}, pages = {3703--3720}, year = {2021}, equal = {true}, }
Black Hat
Make Redirection Evil Again: URL Parser Issues in OAuth

Xianbo Wang, Shangcheng Shi, Ronghai Yang, and 1 more author

Black Hat Asia Briefings, 2019

Abs Bib PDF Code Slides

Since 2012, OAuth 2.0 has been widely deployed by online service providers worldwide. Security-related headlines related to OAuth showed up from time to time, and most problems were caused by incorrect implementations of the protocol. The User-Agent Redirection mechanism in OAuth is one of the weaker links as it is difficult for developers and operators to realize, understand and implement all the subtle but critical requirements properly. In this talk, we begin by tracing the history of the security community’s understanding of OAuth redirection threats. The resultant evolution of the OAuth specification, as well as the best current practice on its implementation, will also be discussed. We then introduce new OAuth redirection attack techniques which exploit the interaction of URL parsing problems with redirection handling in mainstream browsers or mobile apps. In particular, some attacks leverage our newly discovered URL interpretation bugs in mainstream browsers or Android platform (The latter were independently discovered and have been patched recently). Our empirical study on 50 OAuth service providers worldwide found that numerous top-tiered providers with over 10,000 OAuth client apps and 10’s of millions of end-users are vulnerable to this new attack with severe impact. In particular, it enables the attacker to hijack 3rd party (Relying party) application accounts, gain access to sensitive private information, or even perform privileged actions on behalf of the victim users.
@article{RedirectionBH2019, title = {Make Redirection Evil Again: URL Parser Issues in OAuth}, author = {Wang, Xianbo and Shi, Shangcheng and Yang, Ronghai and Lau, Wing Cheong}, journal = {Black Hat Asia Briefings}, year = {2019}, }