About our CCS’13 paper
• iOS and Android weaknesses allow stealthy pilfering of website credentials, Ars Technica, August 27, 2013
About our Oakland’12 paper
• Study Finds Major Weaknesses in Single Sign-on Systems, Network World, March 27, 2012
• Flawed sign-in services from Google and Facebook imperil user account, Ars Technica, March 25, 2012
• Trial finds EIGHT WAYS to defeat Google, PayPal and other SSOs, The Register, March 20, 2012
• Researchers discover flaws in SSO that leave websites vulnerable, Infosecurity, March 20
• Web Services Single Sign-On Contain Big Flaws, Dark Reading, March 19, 2012
• Researchers discover “worrisome” authentication flaws in many online services, ZDNet, March 16, 2012
About our finding of an OpenID authentication bug
• OpenID Warns Of Serious Bug, InformationWeek, May 9, 2011
• OpenID warns of ‘psychic paper’ authentication attack, Register, May 9, 2011
• OpenID Foundation warns of identity transmission bug, ZDNet UK, May 9, 2011
• OpenID Foundation Warns Websites of Authentication Flaw, eWeek, May 9, 2011
About our Oakland’11 paper
• How to Shop for Free Online (video interview), Channel 9, May 17, 2011
• Vulnerabilities in Online Payment Systems, Schneier on Security, May 9, 2011
(Shaz Qadeer and I didn’t directly participate in the following interviews because of a non-academic reason.)
• Researchers find major flaws in online payment systems. CNN, April 13, 2011.
• Exploit-wielding boffins go on free online shopping binge — World’s biggest e-commerce sites wide open, Register, April 12, 2011
• Could criminals shop for free online? CNET, April 11, 2011
• Security Researchers Exploit Logic Flaws to Shop for Free Online, Network World, April 11, 2011
About our finding of a Facebook authentication bug
- Informatics students discover, alert Facebook to threat allowing access to private data, PhysOrg, Feb 3, 2011
• New Facebook vulnerability patched, ComputerWorld, Feb 2, 2011
• Facebook Fixes Security Vulnerability,eWeek, Feb 2, 2011
• Facebook plugs gnarly authentication flaw, Register, Feb 2, 2011
• Facebook flaw allowed websites to steal users’ personal data without consent, Graham Cluley’s blog, Feb 2, 2011
About our Oakland’10 paper
• Side Channel Attacks in SSL, ha.ckers.org, June 21st, 2010
• SaaS Apps May Leak Data Even When Encrypted, Study Says, Dark Reading, March 26th, 2010
• Side-Channel Attacks on Encrypted Web Traffic, Schneier on Security, March 26th, 2010
• Researchers sound alarm on Web app “side channel” data leaks, Network World, March 25th, 2010
• Your health, tax, and search data siphoned: Software-as-a-service springs SSL leak, The Register, March 23rd, 2010.
• Side-Channel Leaks in Web Applications, Freedom To Tinker, March 23rd, 2010
About our Oakland’09 paper
• Browser flaws expose users to man-in-the-middle attacks, ZDNet, August 7th, 2009
• Mozilla patches 11 Firefox bugs, six critical. Plugs SSL hole reported by Microsoft researchers, Computer World, June 12, 2009
• Breaking Web Browsers’ Trust, Technology Review, May 21st, 2009
I encourage Ph.D. students to seek opportunities of Microsoft Research internships. I myself was interning here in the summers of 2003 and 2004. MSR internship is interesting, challenging and rewarding. Please ask your advisor to write a reference letter for you as early as you can! Most offers are made in the early spring.
- Summer 2016: Matt McCutchen (MIT). Project: Self-Verifying Execution.
- Summer 2015: Peter Chapman (CMU).
- Summer 2015: Daniel Song (Rice University, co-mentored with Helen Wang). Project: Self-Verifying Execution.
- Summer 2013: Eric Chen (CMU), expertise: web security. Project: Certification of symbolic transaction, in IEEE Symposium on Security and Privacy 2015.
- Summer 2012: Yuchen Zhou (University of Virginia), expertise: web security. Project: Implicit security assumptions of SDKs, in USENIX Security Symposium 2013.
- Summer 2011: Rui Wang (Indiana University), expertise: web security. Project: Web-based single-sign-on systems, in IEEE Symposium on Security and Privacy 2012.
- Summer 2010: Rui Wang (Indiana University), expertise: web security. Project: How to shop for free online, in IEEE Symposium on Security and Privacy 2011.
- Summer 2009: Rui Wang (Indiana University), expertise: web security. Project: Side channel leaks in web applications, in IEEE Symposium on Security and Privacy 2010.
- Summer 2008: Hong Chen (Purdue), expertise: access control. Project: Browser’s residue objects, in EuroSys 2010.
- Summer 2007: Ziqing Mao (Purdue), expertise: access control. Project: Pretty-Bad-Proxy, in IEEE Symposium on Security and Privacy 2009.
- Summer 2006: Ralf Sasse (UIUC), expertise: formal methods. Project: GUI logic errors, in IEEE Symposium on Security and Privacy 2007.