Prof. Xiaofeng Wang Named In Apple Security Fixes


3/17/17

As a integral part of CSI's security focus, our researchers and faculty work to both find and help fix security holes in widely used devices, protocols, and operating systems.  A superb example of this vital mission is the work by Professor Xiaofeng Wang, who along with Luyi Xing, Xiaolong Bai, and Kai Chen of Indiana University, and in association with Tongxin Li of Peking University, Xiaojing Liao of Georgia Institute of Technology, Shi-Min Hu of Tsinghua University, and Xinhui Han of Peking University discovered an insecurity in the Apple's Keychain Assistant in 2015.

The hole was a significant threat that provided an avenue for unauthorized access to passwords held in the Keychain Assistant application as was well described in major news media articles:

Major Mac flaw spills your passwords, CNN Tech

Indiana University computer science professor XiaoFeng Wang and his team of researchers found several ways a bad app could "cross over" into other apps.

 

The researchers found that malicious software could slip into the Apple Keychain, delete old passwords, and wait for you to retype them in. When you do, it grabs them.

Apple, after significant work, issued updates to MacOS 10.9-10.11 and in doing so named Professor Wang and the other researchers whoes work exposed the serious flaw.

About the security content of OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks

Today millions of MacOS users have a more secure computing environment and Apple, as a vital industry member part of our computing eco-system, is improved.  That is the outcome that CSI seeks in it's core goal of employing collaboration, research and advocacy to make a more secure computing world.  

Dr. Wang received his Ph.D. in Computer Engineering from Carnegie Mellon University in 2004, and has since then joined Indiana University at Bloomington as assistant professor (Aug, 2004 to Jun. 2010), and then associate professor (after Jun. 2010). Currently Professor Wang serves both as a professor of informatics and computer sciences as well as co-director of the Security Informatics Program at IU with Professor Jean Camp.