publications | Xianbo Wang

2022

NDSS
PHYjacking: Physical Input Hijacking for Zero-Permission Authorization Attacks on Android

Xianbo Wang, Shangcheng Shi, Yikang Chen, and 1 more author

Proceedings Network and Distributed System Security Symposium, 2022

Abs Bib PDF Website

Nowadays, most mobile devices are equipped with various hardware interfaces such as touchscreen, fingerprint scanner, camera and microphone to capture inputs from the user. Many mobile apps use these physical interfaces to receive user-input for authentication/authorization operations including one-click login, fingerprint-based payment approval, and face/voice unlocking. In this paper, we investigate the so-called PHYjacking attack where a victim is misled by a zero-permission malicious app to feed physical inputs to different hardware interfaces on a mobile device to result in unintended authorization. We analyze the protection mechanisms in Android for different types of physical input interfaces and introduce new techniques to bypass them. Specifically, we identify weaknesses in the existing protection schemes for the related system APIs and observe common pitfalls when apps implement physical-input-based authorization. Worse still, we discover a race-condition bug in Android that can be exploited even when app-based mitigations are properly implemented. Based on these findings, we introduce fingerprint-jacking and facejacking techniques and demonstrate their impact on real apps. We also discuss the feasibility of launching similar attacks against NFC and microphone inputs, as well as effective tapjacking attacks against Single Sign-On apps. We have designed a static analyzer to examine 3000+ real-world apps and find 44% of them contain PHYjacking-related implementation flaws. We demonstrate the practicality and potential impact of PHYjacking via proof-of-concept implementations which enable unauthorized money transfer on a payment app with over 800 million users, user-privacy leak from a social media app with over 400 million users and escalating app permissions in Android 11.
@article{Wang2022PHYjackingPI, title = {PHYjacking: Physical Input Hijacking for Zero-Permission Authorization Attacks on Android}, author = {Wang, Xianbo and Shi, Shangcheng and Chen, Yikang and Lau, Wing Cheong}, journal = {Proceedings Network and Distributed System Security Symposium}, year = {2022}, }

2021

USENIX
Scalable Detection of Promotional Website Defacements in Black Hat {SEO} Campaigns

Ronghai Yang*, Xianbo Wang*, Cheng Chi, and 4 more authors
* indicates equal contribution
In 30th USENIX Security Symposium (USENIX Security 21), 2021

Abs Bib PDF Slides

Miscreants from online underground economies regularly exploit website vulnerabilities and inject fraudulent content into victim web pages to promote illicit goods and services. Scalable detection of such promotional website defacements remains an open problem despite their prevalence in Black Hat Search Engine Optimization (SEO) campaigns. Adversaries often manage to inject content in a stealthy manner by obfuscating the description of illicit products and/or the presence of defacements to make them undetectable. In this paper, we design and implement DMoS—a Defacement Monitoring System which protects websites from promotional defacements at scale. Our design is based on two key observations: Firstly, for effective advertising, the obfuscated jargons of illicit goods or services need to be easily understood by their target customers (i.e., sharing similar shape or pronunciation). Secondly, to promote the underground business, the defacements are crafted to boost search engine ranking of the defaced web pages while trying to stay stealthy from the maintainers and legitimate users of the compromised websites. Leveraging these insights, we first follow the human convention and design a jargon normalization algorithm to map obfuscated jargons to their original forms. We then develop a tag embedding mechanism, which enables DMoS to focus more on those not-so-visually-obvious, yet site-ranking influential HTML tags (i.e., title, meta). Consequently, DMoS can reliably detect illicit content hidden in compromised web pages. In particular, we have deployed DMoS as a cloud-based monitoring service for a five-month trial run. It has analyzed more than 38 million web pages across 7000+ commercial Chinese websites and found defacements in 11% of these websites. It achieves a recall over 99% with a precision about 89%. While the original design of DMoS focuses on the detection of Chinese promotional defacements, we have extended the system and demonstrated its applicability for English website defacement detection via proof-of-concept experiments.
@inproceedings{yang2021scalable, title = {Scalable Detection of Promotional Website Defacements in Black Hat $\{$SEO$\}$ Campaigns}, author = {Yang*, Ronghai and Wang*, Xianbo and Chi, Cheng and Wang, Dawei and He, Jiawei and Pang, Siming and Lau, Wing Cheong}, booktitle = {30th USENIX Security Symposium (USENIX Security 21)}, pages = {3703--3720}, year = {2021}, equal = {true}, }
ACNS
Breaking and Fixing Third-Party Payment Service for Mobile Apps

Shangcheng Shi, Xianbo Wang, and Wing Cheong Lau

In International Conference on Applied Cryptography and Network Security, 2021

Abs Bib PDF

Riding on the widespread user adoption of mobile payment, a growing number of mobile apps have integrated the service from third-party payment service providers or so-called Cashiers. Despite its prevalence and critical nature, no existing standard can guide the secure deployment of mobile payment. Thus, the protocol designs and implementations from different Cashiers are diverse. Given the complicated multi-party interactions in mobile payment, either the Cashiers or the apps may not fully consider various threat models, which enlarges the attack surface and causes the exploits with severe consequences, ranging from financial loss to privacy violations. In this paper, we perform an in-depth security analysis of real-world third-party payment services for mobile apps. Specifically, we examine the mobile payment systems from five top-tier Cashiers that serve over one billion users globally. Leveraging insecure protocol designs and practical implementation flaws, e.g., vulnerable backend SDKs for mobile apps, we have discovered six types of exploits. These exploits enable the attacker to violate user privacy and shop for free in the victim apps, affecting millions of users. Finally, we propose the fixings to defend against these exploits. We have shared our findings with the affected Cashiers and got their positive responses.
@inproceedings{shi2021breaking, title = {Breaking and Fixing Third-Party Payment Service for Mobile Apps}, author = {Shi, Shangcheng and Wang, Xianbo and Lau, Wing Cheong}, booktitle = {International Conference on Applied Cryptography and Network Security}, pages = {3--26}, year = {2021}, organization = {Springer}, }
SecureComm
An Empirical Study on Mobile Payment Credential Leaks and Their Exploits

Shangcheng Shi, Xianbo Wang, Kyle Zeng, and 2 more authors

In International Conference on Security and Privacy in Communication Systems, 2021

Abs Bib PDF

Recently, mobile apps increasingly integrate with payment services, enabling the user to pay orders with a third-party payment service provider, namely Cashier. During the payment process, both the app and Cashier rely on some credentials to secure the service. Despite the importance, many developers tend to overlook the protection of payment credentials and inadvertently expose them to the wild. Such leaks severely affect the security of end-users and the merchants associated with the apps, resulting in privacy violations and actual financial loss. In this paper, we study the payment credential leaks for four top-tiered Cashiers that serve over one billion users and tens of millions of merchants globally. Through studying practical mobile payment systems, we identify new leaking sources of payment credentials and find 4 types of exploits with severe consequences, which are caused by the credential leaks and additional implementation flaws. Besides, we design an automatic tool, PayKeyMiner, and use it to discover around 20,000 leaked payment credentials, affecting thousands of apps. We have reported our findings to the Cashiers. All of them have confirmed the issue and pledged to notify the affected merchant apps, while some of these apps have updated the leaked payment credentials afterward.
@inproceedings{shi2021empirical, title = {An Empirical Study on Mobile Payment Credential Leaks and Their Exploits}, author = {Shi, Shangcheng and Wang, Xianbo and Zeng, Kyle and Yang, Ronghai and Lau, Wing Cheong}, booktitle = {International Conference on Security and Privacy in Communication Systems}, pages = {79--98}, year = {2021}, organization = {Springer}, }
Black Hat
Mining and Exploiting (Mobile) Payment Credential Leaks in the Wild

Shangcheng Shi, Xianbo Wang, and Wing Cheong Lau

Black Hat Asia Briefings, 2021

Abs Bib PDF Slides

Over the past decade, an increasing number of mobile apps have integrated the third-party payment function from service providers or so-called Cashiers. Thus, end-users can perform the payment within the smartphone through these Cashiers readily. To secure their services, the Cashiers define various payment credentials, e.g., PKCS#12 certificates, and share them with mobile apps for authentication and authorization operations, such as refund. Despite the security-critical nature of these payment credentials, the existing works focus on the specific credential leaks from known sources, e.g., Android APKs or GitHub. In contrast, little effort has been spent to study the prevalence of payment credential leaks in the wild and their security impacts. In this talk, we begin by giving the background of the mobile payment service from four first-tier Cashiers that serve over 1 billion users globally. After that, we introduce the potential leaking sources of the payment credentials, including the new ones that have not been investigated on a large scale before. For example, we find that the backend servers of mobile apps can expose payment credentials to the public inadvertently. Then, we describe four exploits enabled by the payment credential leaks when combining other implementation flaws. These exploits all bring about serious consequences, ranging from direct financial loss to the mobile apps to privacy violations for end-users. Specifically, with the leaked payment credentials, the attacker may steal money from the account of the mobile apps directly and obtain all the user payment records. Further, we design and implement an automatic tool to conduct credential mining from public VCS and APKs at a market scale. Consequently, we discovered around 20,000 leaked payment credentials, affecting thousands of apps and millions of end-users. We have made the responsible disclosure to the Cashiers, and some leaking apps revoked their credentials afterward.
@article{PaymentBH2021, title = {Mining and Exploiting (Mobile) Payment Credential Leaks in the Wild}, author = {Shi, Shangcheng and Wang, Xianbo and Lau, Wing Cheong}, journal = {Black Hat Asia Briefings}, year = {2021}, }

2020

Evading Web Application Firewalls with Reinforcement Learning

Xianbo Wang, and Han Hu

Technical Report, 2020

Abs Bib PDF

Web Application Firewalls (WAF) are widely deployed to protect web servers from security threats like SQL injections. WAF products employ various techniques, e.g., syntax signature and machine learning, to detect and block suspicious web traffics. However, no WAF can be absolutely secure, there are always space for adversaries to craft malicious messages that can evade the detection. In the past, most evasion techniques are developed manually, which requires labour and intelligence. In this work, we propose to explore the possibility of automating the process of WAF evasion using reinforcement learning. We created a reinforcement learning environment (based on OpenAI gym) for WAF evasion tasks and evaluate various mainstream WAF products with Proximal Policy Optimization (PPO) algorithm. Our framework successfully discovered numbers of evasion payloads for each WAF in our experiments and can significantly outperform baseline policy. Finally, we extract common patterns from the discovered evasion payloads and discuss weaknesses/flaws of existing WAF products as well as suggested improvements.
@article{Wang2020EvadingWA, title = {Evading Web Application Firewalls with Reinforcement Learning}, author = {Wang, Xianbo and Hu, Han}, journal = {Technical Report}, year = {2020}, }
Black Hat
Fingerprint-Jacking: Practical Fingerprint Authorization Hijacking in Android Apps

Xianbo Wang, Yikang Chen, Ronghai Yang, and 2 more authors

Black Hat Europe Briefings, 2020

Abs Bib Slides Video

Many mobile devices carry a fingerprint scanner nowadays. Mobile apps utilize the fingerprint scanner to facilitate operations such as account login and payment authorization. Despite its security-critical nature, relatively little effort has been devoted to the security analysis of fingerprint scanner, especially from the system security aspect. In this paper, we introduce fingerprint-jacking, a type of User-Interface-based (UI) attack that targets fingerprint hijacking in Android apps. We coin the term from clickjacking, as our attack also conceals the original interface beneath a fake covering. Specifically, we discover five novel attack techniques, all of which can be launched from zero-permission malicious apps and some can even bypass the latest countermeasures in Android 9+. Our race-attack is effective against all apps that integrate the fingerprint API. As apps’ implementation flaws intensify the fingerprint-jacking vulnerability, we have designed a static analyzer to efficiently identify apps with implementation flaws that can lead to fingerprint-jacking. In our evaluation of 1630 Android apps that utilize the fingerprint API, we found 347 (21.3%) apps with different implementation issues. We have successfully performed proof-of-concept attacks on some popular apps, including stealing money via a payment app with over 100,000,000 users, gaining root access in the most widely used root manager app, and much more. We have also reported related vulnerability to Google, which is identified as CVE-2020-27059 and will be fixed in next Android patch release. Finally, we give guidance to Android app developers for secure fingerprint implementation.
@article{FingerjackingBH2020, title = {Fingerprint-Jacking: Practical Fingerprint Authorization Hijacking in Android Apps}, author = {Wang, Xianbo and Chen, Yikang and Yang, Ronghai and Shi, Shangcheng and Lau, Wing Cheong}, journal = {Black Hat Europe Briefings}, year = {2020}, video = {https://www.youtube.com/watch?v=P5VAwTEIte0} }

2019

AsiaCCS
MoSSOT: An automated blackbox tester for single sign-on vulnerabilities in mobile applications

Shangcheng Shi, Xianbo Wang, and Wing Cheong Lau

In Proceedings of the ACM Asia Conference on Computer and Communications Security, 2019

Abs Bib PDF Code

Mobile applications today increasingly integrate Single Sign-On (SSO) into their account management mechanisms. Unfortunately, the involved multi-party protocol, i.e., OAuth 2.0, was originally designed to serve websites for authorization purpose. Due to the complexity of the adapted protocol, a large number of insecure SSO implementations still exist in the wild. Although the security testing for real-world SSO deployments has attracted considerable attention in recent years, existing work either focuses on websites or relies on the manual discovery of specific and previously-known vulnerabilities. In the paper, we design and implement MoSSOT (Mobile SSO Tester), an automated blackbox security testing tool for Android applications utilizing the SSO services from three mainstream service providers. The tool detects the vulnerabilities within the practical SSO implementations by fuzzing related network messages. We used MoSSOT to examine over 500 first-tier third-party Android applications from US and Chinese app markets. According to the test result, around 72% of the tested applications incorrectly implement SSO and are thus vulnerable. Besides, our test identifies an unknown vulnerability as well as a new variant, in addition to four known ones. The vulnerabilities enable the attacker to illegally log into the mobile applications as the victims or gain access to the protected resources. MoSSOT has been released as an open-source project.
@inproceedings{shi2019mossot, title = {MoSSOT: An automated blackbox tester for single sign-on vulnerabilities in mobile applications}, author = {Shi, Shangcheng and Wang, Xianbo and Lau, Wing Cheong}, booktitle = {Proceedings of the ACM Asia Conference on Computer and Communications Security}, pages = {269--282}, year = {2019}, }
Black Hat
Make Redirection Evil Again: URL Parser Issues in OAuth

Xianbo Wang, Shangcheng Shi, Ronghai Yang, and 1 more author

Black Hat Asia Briefings, 2019

Abs Bib PDF Code Slides

Since 2012, OAuth 2.0 has been widely deployed by online service providers worldwide. Security-related headlines related to OAuth showed up from time to time, and most problems were caused by incorrect implementations of the protocol. The User-Agent Redirection mechanism in OAuth is one of the weaker links as it is difficult for developers and operators to realize, understand and implement all the subtle but critical requirements properly. In this talk, we begin by tracing the history of the security community’s understanding of OAuth redirection threats. The resultant evolution of the OAuth specification, as well as the best current practice on its implementation, will also be discussed. We then introduce new OAuth redirection attack techniques which exploit the interaction of URL parsing problems with redirection handling in mainstream browsers or mobile apps. In particular, some attacks leverage our newly discovered URL interpretation bugs in mainstream browsers or Android platform (The latter were independently discovered and have been patched recently). Our empirical study on 50 OAuth service providers worldwide found that numerous top-tiered providers with over 10,000 OAuth client apps and 10’s of millions of end-users are vulnerable to this new attack with severe impact. In particular, it enables the attacker to hijack 3rd party (Relying party) application accounts, gain access to sensitive private information, or even perform privileged actions on behalf of the victim users.
@article{RedirectionBH2019, title = {Make Redirection Evil Again: URL Parser Issues in OAuth}, author = {Wang, Xianbo and Shi, Shangcheng and Yang, Ronghai and Lau, Wing Cheong}, journal = {Black Hat Asia Briefings}, year = {2019}, }