I’m a computer science PhD candidate at University of Illinois at Chicago. I’m a member of BITS Networked Systems Laboratory where I’m being advised by Chris Kanich. My research interests cover several areas of security and privacy. In the past, I have conducted studies on large-scale user de-anonymization techniques and understanding flaws in well-established authentication systems. My current research is focused on robust anti-fingerprinting and anti-tracking methods in browsers.
Conference & Workshop Papers
"SpeedReader: Reader Mode Made Fast and Private" [PDF]
Mohammad Ghasemisharif, Peter Snyder, Andrius Aucinas, Benjamin Livshits
(To appear) In Proceedings of The Web Conference (WWW), May 2019, San Francisco, CA.
"O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web" [PDF][Data]
Mohammad Ghasemisharif, Amrutha Ramesh, Stephen Checkoway, Chris Kanich, and Jason Polakis
Proceedings of the 27th USENIX Security Symposium, August 2018
Media Coverage: New York Times(1) (2), WIRED, CNN, NBC, The Guardian, The Register, Yahoo, BuzzFeed
"Virtualized dynamic port assignment and windowed whitelisting for securing infrastructure servers"
Ronald Loui, Lucinda Caughey, Mohammad Ghasemisharif and Rogelio Salvador
IEEE International Conference on Electro Information Technology (EIT), August 2016
"State of the Fuzz: An Analysis of Black-Box Vulnerability Testing" [PDF]
Some browsers offer a reader mode option that removes page bloat, Ads and trackers and displays only the necessary (textual) content. While the end result is visually pleasant, it does not solve page load time since they render the entire page before making the decision (whether the page contains readable subsets). So we approached this problem by shifting the decision point prior to full rendering (on initial HTML). Our trained model outperformed comparable heuristic methods and resulted in speeding up page loading by 27×, and reducing network use by 84×. We did this project over my internship at Brave.
In a nutshell, Single Sign-On is an easy way of using multiple independent services (e.g. Quora) with one account (e.g. Facebook). In this project, we measured the prevalence of SSO in the wild and investigated the attacks SSO enables even when it is implemented correctly. We showed that the interplay between local account management and SSO can result in strange corner cases that can make recovering from IdP account compromise very hard or even impossible. We provided a PoC for Facebook account compromise to demonstrated the practicality of the attacks. bug bounty
While "non-session" HTTP cookies seems benign, they can reveal personally identifiable information as previous study showed. We investigated large-scale crowd de-anonymization through "non-session" HTTP cookies and KARMA attack. We disclosed a WebKit vulnerability for mishandling cookies in private browsing and captive portal. CVE-2017-7144
This little Chrome extension came into existence while I was learning extension development. I needed an extension for handling per tab cookies, and since I don't trust installing third-party extensions, I wrote this for my daily browsing. It is mainly a garbage collector for stale cookies. The name came from a pseudo-docker-random-name-generator which oddly makes sense here.
I started this project to measure the frequency of uploading security papers and frequent uploaders on Arxiv. After multiple revisions, it evolved into a self-maintained website that is a visually appealing version of (Cryptography and Security) Arxiv which also comes with stats. I also wanted to make all of its components portable and self-maintained, so everything is dockerized from head to toe.