Luyi Xing, an assistant professor in the Luddy School of Informatics, Computing, and Engineering, earned an award from Facebook after discovering security holes in apps that allowed third-party vendors to gain access to people’s Facebook logins. His research has affected an estimated 9.5 million users, according to an IU press release.
Xing won a $30,000 award from Facebook through the Bug Bounty program, IU announced in early February. The program awards people for finding security holes that companies security teams may have missed. His Facebook research was inspired by the Cambridge Analytica Facebook scandal, in which the data analytics firm harvested the data of up to 87 million people without their consent.
Xing has been working at IU since June 2018 and independently searching for security holes for companies since 2011, when he began his Ph.D. program at IU.
“Our research is to protect real world users,” Xing said.
Through his research, he discovered that software development kits owned by other third-party service vendors could steal data from the software development kits belonging to Facebook. Apps have software development kits which allow them to have functions such as logging into external websites using a Facebook account. The kits are created by vendors that do not own the app.
After Xing made this discovery, he notified the app developers so they could fix the issues. Sometimes these solutions can be as simple as removing the problematic SDKs from the app, but this is only possible when the function SDK provides is not necessary for the app to continue to work, Xing said.
Xing said he wanted the money that he received from the award to go back into his research and supporting research assistants.
Yue Xiao, a Ph.D. student who worked as a research assistant with Xing on this project said the hardest part of the research was the amount of data, as Xiao and Xing went through many apps that each had their own SDKs, said
She said she learned many technical skills through this research that she will use in her future career in cyber security, such as program analysis tools and natural language processes, which involves coding and allows computers to understand human languages.
“I’m really proud that the research found helpful information for the users,” Xiao said.
Yuzhen Ye, the interim chair of computer science at the school, said this type of work is becoming increasingly important as security problems become more serious.
“It really demonstrates what impact faculty research can have on the real world,” Ye said.