All publications

Session Juggler allows to log into any websites on an untrusted terminal on any modern browser by using a simple bookmarklet and a smartphone. The site credentials are never transmited to the untrusted. With Session Juggler users never enter their long term credential on the untrusted terminal. Instead, users log in to a web site using a smartphone app and then transfer the entire session, including cookies and all other session state, to the untrusted terminal.

TalkBack is a new blog Linkback protocol that use a lightweight PKI and a rate limiting system to fight blog SPAM

We show how to perform memory based attack against real-strategy games using our tool Kartograph to create map-hack. To defend against theses attacks we develop secure protocols for distributing game state among players so that each client only has the data he is allowed to see.

Kamouflage is a new kind of password manager that use plausible decoys to prevent offline attacks when the master password is weak.

We reveal a series of attacks against embedded devices based on a new type of vulnerability that we call cross channel scripting (XCS). XCS is a sophisticated form of cross site scripting (XSS) in which the attack injection and execution are carried out via different protocols.

Based on our reverse-engineering we show how DPAPI, the Windows API for safe data storage on disk work. Our analysis reveals that it is possible to recover all previous passwords used by any user on a system. We have implemented DPAPI data decryption and previous password extraction in a free and open-source tool called DPAPIck.

We study frame busting defense for the Alexa Top-500 sites and show that all can be broken. Some attacks are browser-specific, other exploit code mistakes. We conclude with practical recommendations how to implement a secure frame busting defense.

We evaluate the effectiveness of the most popular web automated vulnerability scanners and analyze how effective they are at detecting various vulnerabilities (XSS, CSRF, SQLi…). We also test how good they are at crawling websites and discovering non-standard links (flash, java, AJAX)

We conducted a longitudinal study of TrackBack spam, collecting and analyzing almost 10 million samples from a massive spam campaign over a 1 period. We report our finding including where the spam campaign leads and why blog spammers are different than email spammers.

This paper shows how Decpatcha is able to break eBay captchas with 75% accuracy. We show that using a custom breaker (75%) greatly out-perform state of art speech recognition system (1%)

We present a three-fold extension to the anticipation-game framework designed to model network cooperation, the cost of attacks based on its duration and the introduction of new vector of attacks over time.

The anticipation-games are a logic-based framework designed to evaluate the resilience of networks against attacks. What set anticipation-games from standard attack graphs is that it allows to model the dynamic nature of the attack and to take into account how the administrator respond to attacks .

We present how to by pass offline the 4 layers of Windows encryption that protect web credentials and instant messengers credentials. We explain how to extract the sensitive data stored by the four major web browsers and the most popular instant messengers softwares such as Skype and Live messenger.

We demonstrate how to steal a WiFi network WPA key and location by attacking the router web interface. Then we show how to bypass SSL warning on Internet Explorer and Firefox to perform HTTPS cache injection attacks. Finally we show how to perform various advanced click-jacking attacks on browser and phones (tapjacking).