publications and talks

2025

1. Black Hat

   Back to the Future: Hacking and Securing Connection-based OAuth Architectures in Agentic AI and Integration Platforms

   Kaixuan Luo, Xianbo Wang, Adonis Fung, Yanxiang Bi, and Wing Cheong Lau

   Black Hat USA Briefings, 2025

   Abs Website

   Access delegation is indispensable for Agentic AI and Integration Platforms, where orchestration engines (e.g., Microsoft Power Automate, Copilot Studio) obtain access tokens from 3rd-party providers to act on behalf of end-users or authenticate end-users across chat channels. To better support these new use cases, there is a growing trend to offload token retrieval and lifecycle management to a separate cloud-based service (a.k.a. Credential Manager, Token Store), which enables developers to streamline "access re-delegation" when building AI agents and low-code solutions. Different home-grown variants of OAuth have emerged to support such access re-delegation architecture. Unlike the traditional OAuth setup, re-delegation centralizes token handling via a dedicated OAuth Token Service (a.k.a. OAuth-as-a-Service), which introduces an abstract "OAuth connection". This connection provides an application a pre-configured handle for a managed OAuth token, outsourcing token negotiations with the OAuth Authorization Server to the Token Service. Unlike "Broker" architectures that chain together two OAuth flows (authorization server-broker and broker-application), under the new connection-based OAuth architecture, applications acquire and utilize tokens through proprietary "OAuth connections" instead. We have found that such a proprietary approach often reintroduces critical new vulnerabilities previously mitigated by OAuth standards. In this talk, we explain how classic web vulnerabilities like Session Fixation, Open Redirect, Confused Deputy, XSS, and Cross-window Communication attacks have re-manifested themselves or been amplified within these proprietary, yet increasingly-common, connection-based OAuth architectures. Through practical exploits of these vulnerabilities, attackers can take over well-authenticated AI agents or gain unauthorized access to arbitrary integrations, all without explicit user consent. Using Microsoft as a case study, we illustrate how connection-based OAuth architectures are adopted in Azure, Power Platform, and Copilot Studio. We systematize the attack surface and highlight how Microsoft’s case reflects the good, the bad and the ugly across the industry, revealing systemic issues shared by other vendors such as Composio and ByteDance Coze. Attendees will walk away with an attacker’s mindset and actionable best practices in building a hardened auth layer for AI agents and integrations.

2. USENIX Security

   Universal Cross-app Attacks: Exploiting and Securing OAuth 2.0 in Integration Platforms

   Kaixuan Luo, Xianbo Wang, Pui Ho Adonis Fung, Wing Cheong Lau, and Julien Lecomte

   34th USENIX Security Symposium (USENIX Security 25), 2025

   Abs PDF

   Integration Platforms such as Workflow Automation Platforms, Virtual Assistants and Smart Homes are becoming an integral part of the Internet. These platforms welcome third-parties to develop and distribute apps in their open marketplaces, and support "account linking" to connect end-users’ app accounts to their platform account. This enables the platform to orchestrate a wide range of external services on behalf of the end-users. While OAuth is the de facto standard for account linking, the open nature of integration platforms poses new threats, as their OAuth architecture could be exploited by untrusted integrated apps. In this paper, we examine the flawed designs of multi-app OAuth authorizations that support account linking in integration platforms. We unveil two new platform-wide attacks due to the lack of app differentiation: Cross-app OAuth Account Takeover (COAT) and Request Forgery (CORF). As long as a victim end-user establishes account linking with a malicious app, or potentially with just a click on a crafted link, they risk unauthorized access or privacy leakage of any apps on the platform. To facilitate systematic discovery of vulnerabilities, we develop COVScan, a semi-automated black-box testing tool that profiles varied OAuth designs to identify cross-app vulnerabilities in real-world platforms. Our measurement study reveals that among 18 popular consumer- or enterprise-facing integration platforms, 11 are vulnerable to COAT and another 5 to CORF, including those built by Microsoft, Google and Amazon. The vulnerabilities render widespread impact, leading to unauthorized control over end-users’ services and devices, covert logging of sensitive information, and compromising a major ecosystem in single click (a CVE with CVSS 9.6). We responsibly reported the vulnerabilities and collaborated with the affected vendors to deploy comprehensive solutions.

3. OSW

   Cross-app OAuth Attacks in Integration Platforms: Mix-up Attacks Reloaded

   Kaixuan Luo, Xianbo Wang, Adonis Fung, Julien Lecomte, and Wing Cheong Lau

   OAuth Security Workshop (OSW), 2025

   Abs Website

   OAuth Mix-up attacks were considered hard to exploit. In this talk, we focus on open ecosystems like integration platforms that enable practical variants of mix-up attacks via malicious app integrations, and discuss potential tailored spec changes.

2024

1. Black Hat

   One Hack to Rule Them All: Pervasive Account Takeovers in Integration Platforms for Workflow Automation, Virtual Voice Assistant, IoT, & LLM Services

   Kaixuan Luo, Xianbo Wang, Adonis Fung, Julien Lecomte, and Wing Cheong Lau

   Black Hat USA Briefings, 2024

   Abs Video Slides Website

   Integration Platforms for Workflow Automation (e.g., Microsoft Power Automate), Virtual Voice Assistants (e.g., Amazon Alexa), Smart Homes (e.g., Google Home), and Large Language Model (LLM) platforms supporting Plugins (e.g. OpenAI ChatGPT), are becoming essential in our personal and professional lives. However, we find many of these platforms vulnerable to a new class of authorization attacks. As one of their core functions, integration platforms support "Account Linking" to connect end-users’ accounts at third-party services/apps (e.g., Gmail, Dropbox) to their platform account. This enables the platform to utilize and orchestrate a wide range of external services on behalf of the end-user. For example, users can configure Microsoft Power Automate to automatically send an email whenever a new GitHub issue is filed. Multi-party authorizations are known to be error-prone and should have gone through strict security scrutiny. Yet, with our newly discovered attacks, we successfully exploit the account linking mechanisms of 24 out of 25 mainstream integration platforms, resulting in account takeovers or privacy leakage of integrated apps/services. In this talk, we unveil how top-tier vendors improperly realize OAuth-based account linking under the new context of Integration Platforms. The failure to verify bindings with both the intended platform user and active third-party service/app compromises the session integrity of account linking. We detail the technical aspects of 3 attacks on integration platforms’ authorization frameworks: two enable account takeovers, and one leads to forced account linking of arbitrary services/apps. Notably, most attacks have easy-to-satisfy preconditions and can often be reduced to 1-click attacks. For instance, an attacker can compromise victims’ Microsoft 365 suite or Azure services with their single click on an unassuming link (a CVE with CVSS 9.6). We also offer our comprehensive insights into best security practices and mitigations and highlight some vendors’ invalid remedial attempts for each identified threat, benefiting the wider community.

2. CCS

   SWIDE: A Semantic-aware Detection Engine for Successful Web Injection Attacks

   Ronghai Yang, Xianbo Wang, Kaixuan Luo, Xin Lei, Ke Li, and 2 more authors

   Proceedings ACM Conference on Computer and Communications Security (CCS), 2024

   Abs Website

   Web attacks, a primary vector for system breaches, pose a significant challenge within the cybersecurity landscape. The growing intensity of web attack attempts has led to “alert fatigue” where enterprises are inundated by excessive alerts. Although extensive research is being conducted on automated methods for detecting web attacks, it remains an open problem to identify whether the attacks are successful. Towards this end, we present SWIDE (Successful Web Injection Detection Engine), an engine to pinpoint successful web injection attacks (e.g., PHP command injection, SQL injection). This enables enterprises to focus exclusively on those crucial threats. Our methodology builds on two insights: Firstly, while attackers tend to apply payload obfuscation techniques to evade detection, all successful web injection attacks must comply with the programming language syntax to be executable; Secondly, these attacks inevitably produce observable effects, such as returning execution result or creating backdoors for future access by the attacker. Consequently, we leverage advanced syntactic and semantic analysis to 1) detect malicious syntax features in obfuscated payloads and 2) perform semantic analysis of the payload to recover the intention of the attack. With a two-stage design, namely, attack identification and confirmation mechanisms, SWIDE can accurately identify successful attacks, even amidst intricate obfuscations. Unlike proof-of-concept studies, SWIDE has been deployed and validated in real-world environments through collaborations with a cybersecurity firm. Serving 5,045 enterprise users, our system identifies that roughly 15% of enterprises have suffered from successful attacks on a weekly basis - an alarmingly high rate. Moreover, we perform a detailed analysis of six months’ data and discover 60 zero-day vulnerabilities exploited in the wild, including 12 high-risk ones acknowledged by relevant authorities. These findings underscore the practical effectiveness of SWIDE.

3. ACNS

   Living a Lie: Security Analysis of Facial Liveness Detection Systems in Mobile Apps

   Xianbo Wang, Kaixuan Luo, and Wing Cheong Lau

   International Conference on Applied Cryptography and Network Security, 2024

   Abs PDF

   Mobile apps are embracing facial recognition technology to streamline the identity verification procedure for security-critical activities such as opening online bank accounts. To ensure the security of the system, liveness detection plays a vital role as an anti-spoofing component, verifying that a selfie provided is from a live individual. Emerging facial recognition companies offer convenient integration services through mobile libraries that are widely utilized by numerous apps in the market. By analyzing 18 mobile facial recognition libraries, we reveal the protocol design and implementation intricacies of various systems. The investigation leads to the discovery of several system security issues in over half of the libraries, predominantly linked to the liveness detection module. These vulnerabilities can be exploited for low-cost identity forgery attacks without relying on media synthesizing technologies like deepfake. We scan 18,096 apps from an app market and identify 802 apps incorporating recognized facial recognition libraries, with over 100 million total downloads. More than half of the libraries examined exhibit weak security, with about 40% downstream mobile apps being affected. This study emphasizes the importance of system security in mobile facial recognition services, as the practical impact can be on par with or even surpass the extensively studied machine learning attacks.

2023

1. Black Hat

   The Living Dead: Hacking Mobile Face Recognition SDKs with Non-Deepfake Attacks

   Xianbo Wang, Kaixuan Luo, and Wing Cheong Lau

   Black Hat USA Briefings, 2023

   Abs Video Website

   Face recognition is increasingly popular in mobile apps, especially for critical tasks like opening a bank account. To prevent identity spoof using injected images, liveness detection is crucial. This is particularly important due to the widespread availability of stolen identity documents and selfies on the black market. While many researchers have studied deepfake or presentation attacks that target machine learning models, few have addressed the protocol design or implementation issues in face recognition systems that can enable low-cost and easy-to-scale attacks. Starting from several real-world incidents of non-deepfake attacks, we will delve into the technical aspect of mobile face recognition spoofing. Our analysis of 18 mobile face recognition libraries, including those from industry leaders, reveals their security flaws that can result in liveness detection bypasses. After scanning more than 18,000 apps, we discovered approximately 1,000 apps that had face recognition libraries and a total of 100 million downloads. We conducted proof-of-concept identity forgery attacks against several popular apps. Without presenting in camera, we were able to complete identity verification by using only static photos of the "victim". Finally, we will provide reference protocol for secure face recognition systems in mobile apps, along with security caveats for implementation. With this talk, we hope to draw the community’s attention back on to the system security in the era of AI.

2. TSE

   Effective Isolation of Fault-Correlated Variables via Statistical and Mutation Analysis

   Ming Wen, Zifan Xie, Kaixuan Luo, Xiao Chen, Yibiao Yang, and 1 more author

   IEEE Transactions on Software Engineering, 2023

   Abs DOI

   It is a widely-adopted strategy for developers to monitor the values of program variables when debugging in practice. In particular, developers often set breakpoints at specific locations or execute the program step by step in the debugging mode to inspect if abnormal values or status will be observed for concerned variables. Such a practical debugging strategy can facilitate developers in understanding and localizing the target fault. This study aims to identify suspicious program variables of a given fault (i.e., denoted as fault-correlated variables) automatically, thus facilitating the debugging activities for developers. To the best of our knowledge, this is the finest granularity in fault localization (FL) so far, which can address the limitations of being coarse-grained as faced by existing FL techniques. However, isolating fault-correlated variables precisely is challenging since there are usually substantially different variables used or defined in a program, and plenty of them are in the same basic block which cannot be well discriminated from each other since they will be either executed or not against the given test suite. To address such challenges, this study presents IsoVar, a two-phase model to isolate fault-correlated variables. Specifically, IsoVar first performs statistical analysis based on variable execution matrices, which is a novel concept proposed in this study, to identify a set of suspicious variables. It then observes the impacts of those variables on the program dynamically after applying subtle mutations at the bytecode level, to further isolate fault-correlated variables. Extensive experiments on Defects4J and Bears demonstrate that IsoVar can outperform state-of-the-art techniques significantly (13.0% for MAP and 19.3% for MRR). More importantly, we incorporated IsoVar into 11 existing FL techniques as well as 14 automated program repair techniques, and found that IsoVar can significantly boost their performance.