Welcome
The Internet is (partially) broken. My job at Google is to fix it. I moved from France to California, and now solve Internet security and privacy problems. I designed the Wikipedia CAPTCHA and created Talisman, a Chrome browser extension that improves its security and privacy.

Featured publications

My most popular publications
mobile
SessionJuggler Secure Web Login from an Untrusted Terminal Using Session Hijacking
Session Juggler allows to log into any websites on an untrusted terminal on any modern browser by using a simple bookmarklet and a smartphone. The site credentials are never transmited to the untrusted. With Session Juggler users never enter their long term credential on the untrusted terminal. Instead, users log in to a web site using a smartphone app and then transfer the entire session, including cookies and all other session state, to the untrusted terminal.
@WWW 2012
  • mobile
  • web security
medias:2
captcha
Text-based CAPTCHA Strengths and Weaknesses
Based on sucessfull attacks on 13 of the most popular captchas schemes we show how to attack text-based captchas and provide guidelines on how to design secure ones.
@CCS 2011
  • captcha
  • offensive technologies
  • study
  • web security
  • machine learning
medias:2
blog
Reclaiming the Blogosphere TalkBack A Secure LinkBack Protocol for Weblogs
TalkBack is a new blog Linkback protocol that use a lightweight PKI and a rate limiting system to fight blog SPAM
@ESORICS 2011
  • blog
  • web security
  • cryptography
medias:2
embedded devices
Towards Secure Embedded Web Interfaces
We audited the security of more than 30 embedded devices web interfaces and found more than 50 vulnerabilities. To help developers, we have developed WebDroid the first framework specifically dedicated to build secure embedded WebApp.
@Usenix Security 2011
  • embedded devices
  • web security
  • offensive technologies
  • study
medias:2
video game
OpenConflict Preventing Real Time Map Hacks in Online Games
We show how to perform memory based attack against real-strategy games using our tool Kartograph to create map-hack. To defend against theses attacks we develop secure protocols for distributing game state among players so that each client only has the data he is allowed to see.
@S&P 2011
  • video game
  • cryptography
  • offensive technologies
medias:3
captcha
The Failure of Noise-Based Non-Continuous Audio Captchas
We show how using a generic approach, based on advanced audio processing and machine learning algorithm, our captcha breaker "Decaptcha" is able to break all the popular audio CAPTCHA schemes, including Microsoft and Yahoo.
@S&P 2011
  • captcha
  • web security
  • machine learning
  • offensive technologies
medias:2
mobile
Kamouflage Loss-Resistant Password Management
Kamouflage is a new kind of password manager that use plausible decoys to prevent offline attacks when the master password is weak.
@ESORICS 2010
  • mobile
  • web security
  • privacy
  • machine learning
medias:2
web security
An Analysis of Private Browsing Modes in Modern Browsers
We analyze how each of the major browser implements the private browsing mode and show their limitations and describe attacks against them. We also measure on which kind of website people use the private browsing mode.
@Usenix Security 2010
  • web security
  • privacy
  • offensive technologies
medias:2
embedded devices
The emergence of cross channel scripting
We reveal a series of attacks against embedded devices based on a new type of vulnerability that we call cross channel scripting (XCS). XCS is a sophisticated form of cross site scripting (XSS) in which the attack injection and execution are carried out via different protocols.
@CACM Journal Volume 53 Number 8 2010
  • embedded devices
  • web security
  • offensive technologies
education
Webseclab Security Education Workbench
Webseclab is a teaching framework designed to teach students web security through various exercises, project and quizzes. Webseclab combines a cloud-base service to aggregate class results and a student lab in form of a virtual machine that contains more than 80 exercises.
@CEST 2010
  • education
  • web security
medias:2
Latest blog posts
Latest social News
about 11 hours ago
New survey: 19% of users use their browser private mode - http://t.co/2BTgm6SA #security #privacy #infosec #smo
about 22 hours ago
19% of users use their browser private mode - http://t.co/ed2NqpaZ #security #privacy #infosec
1 day ago
Blizzard fixing GAME Australia's bankruptcy mess, giving Diablo 3 to those who preordered - http://t.co/JjpVm5X5 #d3 #diablo #diablo3
3 days ago
SessionJuggler Secure Web Login from an Untrusted Terminal Using Session Hijacking - http://t.co/IRQsBcVY #security #infosec #www2012...
6 days ago
Fascinating: An interview with a cybercriminal - http://t.co/amO1M5wN < guy operate a 10k botnet. #botnet #security #infosec