Research - Madiba Security Research Group

Full publications list: M. Mannan J. Clark
List of CVEs: CVEs

Selected Publications

WWW 2023 All Your Shops Are Belong to Us: Security Weaknesses in E-commerce Platforms

USENIX Security 2023 "My Privacy for their Security": Employees' Privacy Perspectives and Expectations when using Enterprise Security Software

ACM CCS 2022 Hidden in Plain Sight: Exploring Encrypted Channels in Android Apps

ASIACRYPT 2022 Short-lived Zero-Knowledge Proofs and Signatures

WWW 2022 Et tu, Brute? Privacy Analysis of Government Websites and Mobile Apps

ASIACCS 2022 On Measuring Vulnerable JavaScript Functions in the Wild

FC 2021 Securing Email: a Stakeholder-based Analysis

ACSAC 2020 Betrayed by the Guardian: Security and Privacy Risks of Parental Control Solutions

USENIX Security 2020 Chaperone: Real-time Locking and Loss Prevention for Smartphones

ISOC NDSS 2019 TEE-aided Write Protection Against Privileged Data Tampering

FC 2019 One-Time Programs made Practical

WWW 2018 SafeKeeper: Protecting Web Passwords using Trusted Execution Environments

CACM 2017 Bitcoin's Academic Pedigree

ACM CCS 2016 Hypnoguard: Protecting Secrets across Sleep-wake Cycles

IEEE TIFS 2016 Deceptive Deletion Triggers under Coercion

ISOC NDSS 2016 Killed by Proxy: Analyzing Client-end TLS Interception Software

ACM CCS 2015 Provisions: Privacy-preserving Proofs of Solvency for Bitcoin Exchanges

ACM TISSEC 2015 Large-Scale Evaluation of High-Impact Password Strength Meters

IEEE S&P 2015 Research Perspectives and Challenges for Bitcoin and Cryptocurrencies

IEEE TDSC 2014 Mobiflage: Deniable Storage Encryption for Mobile Devices

IEEE S&P 2013 SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements

FC 2012 CommitCoin: Carbon Dating Commitments with Bitcoin

ACM CCS 2011 Unicorn: Two-Factor Attestation for Data Security

USENIX Security 2010 Scantegrity II Municipal Election at Takoma Park: The First E2E Binding Governmental Election with Ballot Privacy

Publications with CVE-IDs

On Detecting and Measuring Exploitable JavaScript Functions in Real-World Applications. Maryna Kluban, Mohammad Mannan, Amr Youssef. ACM Transactions on Privacy and Security (accepted Oct 2023).

CVE-2021-44906 (CVSS base score: 9.8/10, Critical)
CVE-2021-44908 (CVSS base score: 9.8/10, Critical)
CVE-2022-37257 (CVSS base score: 9.8/10, Critical)
CVE-2022-37258 (CVSS base score: 9.8/10, Critical)
CVE-2022-37264 (CVSS base score: 9.8/10, Critical)
CVE-2022-37265 (CVSS base score: 9.8/10, Critical)
CVE-2022-37266 (CVSS base score: 9.8/10, Critical)
CVE-2021-42581 (CVSS base score: 9.1/10, Critical)
CVE-2021-43138 (CVSS base score: 7.8/10, High)
CVE-2022-37259 (CVSS base score: 7.5/10, High)
CVE-2022-37260 (CVSS base score: 7.5/10, High)
CVE-2022-37262 (CVSS base score: 7.5/10, High)

All Your Shops Are Belong to Us: Security Weaknesses in E-commerce Platforms. Rohan Pagey, Mohammad Mannan, Amr Youssef. The Web Conference (WWW 2023), Apr 30 - May 4, 2023, Austin, TX, USA.

CVE-2022-33077 (CVSS base score: 7.5/10, High)
CVE-2019-25060 (CVSS base score: 5.3/10, Medium)

Security Weaknesses in IoT Management Platforms. Bhaskar Tejaswi, Mohammad Mannan, Amr Youssef. IEEE Internet of Things Journal, accepted June 2023.

CVE-2022-31860 (CVSS base score: 9.8/10, Critical)
CVE-2022-34020 (CVSS base score: 8.8/10, High)
CVE-2022-35135 (CVSS base score: 8.8/10, High)
CVE-2022-34022 (CVSS base score: 7.2/10, High)
CVE-2022-35136 (CVSS base score: 6.5/10, Medium)
CVE-2022-31861 (CVSS base score: 5.4/10, Medium)
CVE-2022-35137 (CVSS base score: 5.4/10, Medium)
CVE-2022-34021 (CVSS base score: 5.4/10, Medium)
CVE-2022-35612 (CVSS base score: 5.4/10, Medium)
CVE-2022-35134 (CVSS base score: 5.4/10, Medium)
CVE-2022-35611 (CVSS base score: 4.3/10, Medium)

Silver Surfers on the Tech Wave: Privacy Analysis of Android Apps for the Elderly. Pranay Kapoor, Rohan Pagey, Mohammad Mannan, Amr Youssef. EAI International Conference on Security and Privacy in Communication Networks (SecureComm), Oct 17-19, 2022, Online.

CVE-2022-30083 (CVSS base score: 9.8/10, Critical)

SAUSAGE: Security Analysis of Unix domain Socket usAGE in Android. Mounir Elgharabawy, Blas Kojusner, M. Mannan, Kevin R. B. Butler, Byron Williams, and A. Youssef. IEEE European Symposium on Security and Privacy (IEEE EuroS&P 2022), June 6-10, 2022, Genoa, Italy.

CVE-2021-25461 (CVSS base score: 7.8/10, High)

Madiba Security Research Group

Concordia Institute for Information Systems Engineering Faculty of Engineering and Computer Science

Selected Publications

WWW 2023 All Your Shops Are Belong to Us: Security Weaknesses in E-commerce Platforms

USENIX Security 2023 "My Privacy for their Security": Employees' Privacy Perspectives and Expectations when using Enterprise Security Software

ACM CCS 2022 Hidden in Plain Sight: Exploring Encrypted Channels in Android Apps

ASIACRYPT 2022 Short-lived Zero-Knowledge Proofs and Signatures

WWW 2022 Et tu, Brute? Privacy Analysis of Government Websites and Mobile Apps

ASIACCS 2022 On Measuring Vulnerable JavaScript Functions in the Wild

FC 2021 Securing Email: a Stakeholder-based Analysis

ACSAC 2020 Betrayed by the Guardian: Security and Privacy Risks of Parental Control Solutions

USENIX Security 2020 Chaperone: Real-time Locking and Loss Prevention for Smartphones

ISOC NDSS 2019 TEE-aided Write Protection Against Privileged Data Tampering

FC 2019 One-Time Programs made Practical

WWW 2018 SafeKeeper: Protecting Web Passwords using Trusted Execution Environments

CACM 2017 Bitcoin's Academic Pedigree

ACM CCS 2016 Hypnoguard: Protecting Secrets across Sleep-wake Cycles

IEEE TIFS 2016 Deceptive Deletion Triggers under Coercion

ISOC NDSS 2016 Killed by Proxy: Analyzing Client-end TLS Interception Software

ACM CCS 2015 Provisions: Privacy-preserving Proofs of Solvency for Bitcoin Exchanges

ACM TISSEC 2015 Large-Scale Evaluation of High-Impact Password Strength Meters

IEEE S&P 2015 Research Perspectives and Challenges for Bitcoin and Cryptocurrencies

IEEE TDSC 2014 Mobiflage: Deniable Storage Encryption for Mobile Devices

IEEE S&P 2013 SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements

FC 2012 CommitCoin: Carbon Dating Commitments with Bitcoin

ACM CCS 2011 Unicorn: Two-Factor Attestation for Data Security

USENIX Security 2010 Scantegrity II Municipal Election at Takoma Park: The First E2E Binding Governmental Election with Ballot Privacy

Publications with CVE-IDs

On Detecting and Measuring Exploitable JavaScript Functions in Real-World Applications. Maryna Kluban, Mohammad Mannan, Amr Youssef. ACM Transactions on Privacy and Security (accepted Oct 2023).

All Your Shops Are Belong to Us: Security Weaknesses in E-commerce Platforms. Rohan Pagey, Mohammad Mannan, Amr Youssef. The Web Conference (WWW 2023), Apr 30 - May 4, 2023, Austin, TX, USA.

Security Weaknesses in IoT Management Platforms. Bhaskar Tejaswi, Mohammad Mannan, Amr Youssef. IEEE Internet of Things Journal, accepted June 2023.

Silver Surfers on the Tech Wave: Privacy Analysis of Android Apps for the Elderly. Pranay Kapoor, Rohan Pagey, Mohammad Mannan, Amr Youssef. EAI International Conference on Security and Privacy in Communication Networks (SecureComm), Oct 17-19, 2022, Online.

SAUSAGE: Security Analysis of Unix domain Socket usAGE in Android. Mounir Elgharabawy, Blas Kojusner, M. Mannan, Kevin R. B. Butler, Byron Williams, and A. Youssef. IEEE European Symposium on Security and Privacy (IEEE EuroS&P 2022), June 6-10, 2022, Genoa, Italy.

Concordia Institute for Information Systems Engineering
Faculty of Engineering and Computer Science