Peer-reviewed Conference and Workshop papers

Harnessing Multiplicity: Granular Browser Extension Fingerprinting through User Configurations
Konstantinos Solomos, Nick Nikiforakis, and Jason Polakis
(To appear) In Proceedings of the Annual Computer Security Applications Conference (ACSAC),
December 2024, Hawaii.

Fledging Will Continue Until Privacy Improves: Empirical Analysis of Google's Privacy-Preserving Targeted Advertising
Giuseppe Calderonio, Mir Masood Ali, and Jason Polakis
In Proceedings of the USENIX Security Symposium,
August 2024, Philadelphia, PA. [PDF]

Rise of Inspectron: Automated Black-box Auditing of Cross-platform Electron Apps
Mir Masood Ali, Mohammad Ghasemisharif, Chris Kanich, and Jason Polakis
In Proceedings of the USENIX Security Symposium,
August 2024, Philadelphia, PA. [PDF]

Abandon All Hope Ye Who Enter Here: A Dynamic, Longitudinal Investigation of Android's Data Safety Section
Ioannis Arkalakis, Michalis Diamantaris, Serafim Moustakas, S. Ioannidis, Jason Polakis, and P. Ilia
In Proceedings of the USENIX Security Symposium,
August 2024, Philadelphia, PA. [PDF]

When Push Comes to Shove: Empirical Analysis of Web Push Implementations in the Wild
Alberto Carboneri, Mohammad Ghasemisharif, Soroush Karami, and Jason Polakis
In Proceedings of the Annual Computer Security Applications Conference (ACSAC),
December 2023, Austin, TX. [PDF]

Read Between the Lines: Detecting Tracking JavaScript with Bytecode Classification
Mohammad Ghasemisharif and Jason Polakis
In Proceedings of the ACM Conference on Computer and Communications Security (CCS),
November 2023, Denmark. [PDF]

Fashion Faux Pas: Implicit Stylistic Fingerprints for Bypassing Browsers’ Anti-Fingerprinting Defenses
Xu Lin, Fred Araujo, Teryl Taylor, Jiyong Jang, and Jason Polakis
In Proceedings of the IEEE Symposium on Security and Privacy (S&P),
May 2023, San Francisco, CA. [PDF]

Navigating Murky Waters: Automated Browser Feature Testing for Uncovering Tracking Vectors
Mir Masood Ali, Binoy Chitale, Mohammad Ghasemisharif, Chris Kanich, Nick Nikiforakis, and Jason Polakis
In Proceedings of the Network and Distributed System Security Symposium (NDSS),
February 2023, San Diego, CA. [PDF]

ReScan: A Middleware Framework for Realistic and Robust Black-box Web Application Scanning
Kostas Drakonakis, Sotiris Ioannidis, and Jason Polakis
In Proceedings of the Network and Distributed System Security Symposium (NDSS),
February 2023, San Diego, CA. [PDF]

Escaping the Confines of Time: Continuous Browser Extension Fingerprinting Through Ephemeral Modifications
Konstantinos Solomos, Panagiotis Ilia, Nick Nikiforakis, and Jason Polakis
In Proceedings of the ACM Conference on Computer and Communications Security (CCS),
November 2022, Los Angeles, CA. [PDF]

Exploring the Security and Privacy Risks of Chatbots in Messaging Services
Jide Edu, Cliona Mulligan, Fabio Pierazzi, Jason Polakis, Guillermo Suarez-Tangil, Jose Such
In Proceedings of the ACM Internet Measurement Conference (IMC),
October 2022, Nice, France. [PDF]

Phish in Sheep’s Clothing: Exploring the Authentication Pitfalls of Browser Fingerprinting
Xu Lin, Panagiotis Ilia, Saumya Solanki, and Jason Polakis
In Proceedings of the USENIX Security Symposium,
August 2022, Boston, MA. [PDF]

The Dangers of Human Touch: Fingerprinting Browser Extensions through User Actions
Konstantinos Solomos, Panagiotis Ilia, Soroush Karami, Nick Nikiforakis, and Jason Polakis
In Proceedings of the USENIX Security Symposium,
August 2022, Boston, MA. [PDF]

Unleash the Simulacrum: Shifting Browser Realities for Robust Extension-Fingerprinting Prevention
Soroush Karami, Faezeh Kalantari, Mehrnoosh Zaeifi, Xavier J. Maso, Erik Trickel, Panagiotis Ilia, Yan Shoshitaishvili, Adam Doupé, and Jason Polakis
In Proceedings of the USENIX Security Symposium,
[PDF] August 2022, Boston, MA.

Towards Automated Auditing for Account and Session Management Flaws in Single Sign-On Deployments
Mohammad Ghasemisharif, Chris Kanich, and Jason Polakis
In Proceedings of the IEEE Symposium on Security and Privacy (S&P),
May 2022, San Francisco, CA. [PDF]

This Sneaky Piggy Went to the Android Ad Market: Misusing Mobile Sensors for Stealthy Data Exfiltration
Michalis Diamantaris, Serafeim Moustakas, Lichao Sun, Sotiris Ioannidis, and Jason Polakis
In Proceedings of the ACM Conference on Computer and Communications Security (CCS),
November 2021, Virtual. [PDF, Code/Data]

Plight at the End of the Tunnel: Legacy IPv6 Transition Mechanisms in the Wild
John Kristoff, Mohammad Ghasemisharif, Chris Kanich, and Jason Polakis
In Proceedings of the Passive and Active Measurement Conference (PAM),
March 2021, Virtual. [PDF]

Tales of Favicons and Caches: Persistent Tracking in Modern Browsers
Konstantinos Solomos, John Kristoff, Chris Kanich, and Jason Polakis
In Proceedings of the Network and Distributed System Security Symposium (NDSS),
February 2021, Virtual. [PDF]

Awakening the Web's Sleeper Agents: Misusing Service Workers for Privacy Leakage
Soroush Karami, Panagiotis Ilia, and Jason Polakis
In Proceedings of the Network and Distributed System Security Symposium (NDSS),
February 2021, Virtual. (Distinguished Paper Award) [PDF]

Fill in the Blanks: Empirical Analysis of the Privacy Threats of Browser Form Autofill
Xu Lin, Panagiotis Ilia, and Jason Polakis
In Proceedings of the ACM Conference on Computer and Communications Security (CCS),
November 2020, Virtual. [PDF, Code/Data/Demos]

The Cookie Hunter: Automated Black-box Auditing for Web Authentication and Authorization Flaws
Kostas Drakonakis, Sotiris Ioannidis, and Jason Polakis
In Proceedings of the ACM Conference on Computer and Communications Security (CCS),
November 2020, Virtual. [PDF, Code]

Chameleons' Oblivion: Complex-Valued Neural Networks for Protocol-Agnostic RF Device Fingerprinting
Ioannis Agadakos+, Nikolaos Agadakos+, Jason Polakis, and Mohamed R. Amer
In Proceedings of the 5th IEEE European Symposium on Security and Privacy (EuroS&P),
September 2020, Virtual. [PDF] + Joint first authors.

Tech Pains: Characterizations of Lived Cybersecurity Experiences.
Huixin Tian, Chris Kanich Jason Polakis, and Sameer Patil
In Proceedings of the 5th European Workshop on Usable Security (EuroUSEC),
September 2020, Virtual. [PDF]

Meddling Middlemen: Empirical Analysis of the Risks of Data-Saving Mobile Browsers
Brian Kondracki, Assel Aliyeva, Manuel Egele, Jason Polakis, and Nick Nikiforakis
In Proceedings of the 41st IEEE Symposium on Security and Privacy (S&P),
May 2020, Virtual. [PDF]

Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting
Soroush Karami, Panagiotis Ilia, Konstantinos Solomos, and Jason Polakis
In Proceedings of the 27th Network and Distributed System Security Symposium (NDSS),
February 2020, San Diego, CA. [PDF, BibTex]

A Large-scale Study on the Risks of the HTML5 WebAPI for Mobile Sensor-based Attacks
Francesco Marcantoni, Michalis Diamantaris, Sotiris Ioannidis, and Jason Polakis
In Proceedings of the 30th Web Conference (WWW),
May 2019, San Francisco, CA. [PDF, Data, BibTex]

REAPER: Real-time App Analysis for Augmenting the Android Permission System
Michalis Diamantaris, Elias P. Papadopoulos, Evangelos P. Markatos, Sotiris Ioannidis, and Jason Polakis
In Proceedings of the 9th ACM Conference on Data and Application Security and Privacy (CODASPY),
March 2019, Dallas, TX. [PDF, Data, BibTex]

Please Forget Where I Was Last Summer: The Privacy Risks of Public Location (Meta)Data
Kostas Drakonakis, Panagiotis Ilia, Sotiris Ioannidis, and Jason Polakis
In Proceedings of the 25th Network and Distributed System Security Symposium (NDSS),
February 2019, San Diego, CA. [PDF, Data, BibTex]
▷ Media coverage: WIRED, The Register, Engadget

O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web
Mohammad Ghasemisharif, Amrutha Ramesh, Stephen Checkoway, Chris Kanich, and Jason Polakis
In Proceedings of the 27th USENIX Security Symposium
August 2018, Baltimore, MD. [PDF, Data, BibTex]
▷ Media coverage: New York Times (1), New York Times (2), WIRED (1), WIRED (2), CNN, The Guardian, NBC, The Register, BuzzFeed, ThreatPost, Yahoo, Columbia Journalism Review, Reuters India Times, HelpNetSecurity (a), HelpNetSecurity (b), DataBreachToday, The Parallax, LifeHacker

In (Cyber)Space Bots Can Hear You Speak: Breaking Audio CAPTCHAs Using OTS Speech Recognition
Saumya Solanki, Gautam Krishnan, Varshini Sampath, and Jason Polakis
In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (AISEC),
co-located with the ACM Conference on Computer and Communications Security (CCS)
November 2017, Dallas, TX. [PDF, BibTex]
▷ Also presented at Usenix ScAINet 2018

Reveal: Fine-grained Recommendations in Online Social Networks
Markos Aivazoglou, Orestis Roussos, Sotiris Ioannidis, Dimitris Spiliotopoulos, and Jason Polakis
In Proceedings of the 2017 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM)
July 2017, Sydney, Australia. [PDF, BibTex]

Techu: Open and Privacy-preserving Crowdsourced GPS for the Masses
Ioannis Agadakos, Jason Polakis, and Georgios Portokalidis
In Proceedings of the 15thACM International Conference on Mobile Systems, Applications, and Services (MobiSys)
June 2017, NY, USA. [PDF, BibTex]

That's the Way the Cookie Crumbles: Evaluating HTTPS Enforcing Mechanisms
Suphannee Sivakorn, Angelos D. Keromytis, and Jason Polakis
In Proceedings of the 15thACM Workshop on Privacy in the Electronic Society (WPES),
co-located with the ACM Conference on Computer and Communications Security (CCS)
October 2016, Vienna, Austria. [PDF, BibTex]

The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information
Suphannee Sivakorn+, Iasonas Polakis+, and Angelos D. Keromytis
In Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P)
May 2016, San Jose, CA. [PDF, BibTex]
+ Joint first authors.
▷ Also presented at BlackHat USA 2016
▷ Media Coverage: Threat Post, Security Intelligence, eWeek

I Am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs
Suphannee Sivakorn, Iasonas Polakis, and Angelos D. Keromytis
In Proceedings of the 1st IEEE European Symposium on Security and Privacy (Euro-S&P)
March 2016, Saarbrucken, Germany. [Dataset, PDF, BibTex]
▷ Also presented at BlackHat Asia 2016, Usenix ScAINet 2018
▷ Media Coverage: NRP - Planet Money, NPR - All Things Considered, The Verge, The Register, Wired, Slashdot, Softpedia, Sophos, Schneier on Security, Gizmodo, Kaspersky, Information Week, Security Week, SC Magazine, Computing, The Inquirer, Security Affairs, Panda Security, DHS

Social Forensics: Searching for Needles in Digital Haystacks
Iasonas Polakis, Panagiotis Ilia, Zacharias Tzermias, Sotiris Ioannidis, and Paraskevi Fragopoulou
In Proceedings of the 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), co-located with the 18th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
November 2015, Kyoto, Japan. [PDF, BibTex]

Where's Wally? Precise User Discovery Attacks in Location Proximity Services
Iasonas Polakis, George Argyros, Theofilos Petsios, Suphannee Sivakorn, and Angelos D. Keromytis
In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS)
October 2015, Denver, CO, USA. [PDF, BibTex, Software]

Face/Off: Preventing Privacy Leakage From Photos in Social Networks
Panagiotis Ilia, Iasonas Polakis, Elias Athanasopoulos, Federico Maggi, and Sotiris Ioannidis
In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS)
October 2015, Denver, Co, USA. [PDF, BibTex]

Powerslave: Analyzing the Energy Consumption of Mobile Antivirus Software
Iasonas Polakis, Michalis Diamantaris, Thanasis Petsas, Federico Maggi, and Sotiris Ioannidis
In Proceedings of the 12th Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA)
July 2015, Milan, Italy. [PDF, BibTex]
▷ Media Coverage: Dr.Shem

Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication
Iasonas Polakis, Panagiotis Ilia, Federico Maggi, Marco Lancini, Georgios Kontaxis, Stefano Zanero, Sotiris Ioannidis, and Angelos D. Keromytis
In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS)
November 2014, Arizona, USA. [PDF, BibTex]

Think before RT: An Experimental Study of Abusing Twitter Trends
Despoina Antonakaki, Iasonas Polakis, Elias Athanasopoulos, Paraskevi Fragopoulou, and Sotiris Ioannidis
In Proceedings of the Workshop On Social Influence (SI), co-located with the 6th International Conference on Social Informatics (SocInfo)
November 2014, Barcelona, Spain. [PDF, BibTex]

Security and Privacy Measurements in Social Networks: Experiences and Lessons Learned
Iasonas Polakis, Federico Maggi, Stefano Zanero, and Angelos D. Keromytis
In Proceedings of the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), co-located with the 19th European Symposium on Research in Computer Security (ESORICS)
September 2014, Wroclaw, Poland [PDF, BibTex]

The Man Who Was There: Validating Check-ins in Location-based Services
Iasonas Polakis, Stamatis Volanis, Elias Athanasopoulos, and Evangelos P. Markatos
In Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC)
December 2013, New Orleans, USA. [PDF, BibTex]

All Your Face Are Belong to Us: Breaking Facebook's Social Authentication
Iasonas Polakis, Marco Lancini, Georgios Kontaxis, Federico Maggi, Sotiris Ioannidis, Angelos D. Keromytis, and Stefano Zanero
In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC)
December 2012, Florida, USA. [PDF, BibTex]
▷ Media Coverage: Computer World

dead.drop: URL-based Stealthy Messaging
Georgios Kontaxis, Iasonas Polakis, Michalis Polychronakis and Evangelos P. Markatos
In Proceedings of the 7th European Conference on Computer Network Defense (EC2ND)
September 2011, Gothenburg, Sweden. [PDF, BibTex]

CAPTCHuring Automated (Smart)Phone Attacks Iasonas Polakis, Georgios Kontaxis and Sotiris Ioannidis
In Proceedings of the 1stWorkshop on Systems Security (SysSec), co-located with the 8th Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA)
July 2011, Amsterdam, Netherlands. [PDF, BibTex]

Outsourcing Malicious Infrastructure to the Cloud
Georgios Kontaxis, Iasonas Polakis, and Sotiris Ioannidis
In Proceedings of the 1stWorkshop on Systems Security (SysSec), co-located with the 8th Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA)
July 2011, Amsterdam, Netherlands. [PDF, BibTex]

An Empirical Study on the Security of Cross-Domain Policies in Rich Internet Applications Georgios Kontaxis, Demetres Antoniades, Iasonas Polakis, and Evangelos P. Markatos
In Proceedings of the 4th European Workshop on System Security (EUROSEC)
April 2011, Salzburg, Austria. [PDF, BibTex )

we.b: The Web of Short URLs Demetres Antoniades, Iasonas Polakis, Georgios Kontaxis, Elias Athanasopoulos, Sotiris Ioannidis, Evangelos P. Markatos, and Thomas Karagiannis.
In Proceedings of the 20th International World Wide Web Conference (WWW)
March 2011 Hyderabad, India [PDF, BibTex]

Detecting Social Network Profile Cloning
Georgios Kontaxis, Iasonas Polakis, Sotiris Ioannidis, and Evangelos P. Markatos
In Proceedings of the 3rd IEEE International Workshop on SEcurity and SOCial Networking (SESOC), co-located with the IEEE International Conference on Pervasive Computing and Communications (PerCom)
March 2011 Seattle, WA [PDF, BibTex]

Using Social Networks to Harvest Email Addresses
Iasonas Polakis, Georgios Kontaxis, Spiros Antonatos, Eleni Gessiou, Thanasis Petsas and Evangelos P. Markatos
In Proceedings of the 9th Workshop on Privacy in the Electronic Society (WPES), co-located with the ACM Conference on Computer and Communications Security (CCS)
October 2010 Chicago, IL. [PDF, BibTex]

Experiences and Observations from the NoAH Infrastructure
Georgios Kontaxis, Iasonas Polakis, Spiros Antonatos and Evangelos P. Markatos
In Proceedings of the 6th European Conference on Computer Network Defense (EC2ND)
October 2010 Berlin, Germany. [PDF, BibTex]

D(e | i)aling with VoIP: Robust Prevention of DIAL Attacks
Alexandros Kapravelos, Iasonas Polakis, Elias Athanasopoulos, Sotiris Ioannidis, and Evangelos P. Markatos
In Proceedings of the 15th European Symposium on Research in Computer Security (ESORICS)
September 2010 Athens, Greece [PDF, BibTex]

A Systematic Characterization of IM Threats Using Honeypots
Spiros Antonatos, Iasonas Polakis, Thanasis Petsas and Evangelos P. Markatos
In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS)
March 2010 San Diego, CA. [PDF, BibTex]

Journal Publications

The Seven Deadly Sins of the HTML5 WebAPI: A Large-scale Study on the Risks of Mobile Sensor-based Attacks.
Michalis Diamantaris, Francesco Marcantoni, Sotiris Ioannidis, and Jason Polakis.
In ACM Transactions on Privacy and Security (TOPS), (2020).

A Fine-grained Social Network Recommender System
Markos Aivazoglou, Antonios Roussos, Dionisis Margaris, Costas Vassilakis, Sotiris Ioannidis, Jason Polakis, and Dimitris Spiliotopoulos.
In Social Network Analysis and Mining 2020, 10(1).

Evaluating the Privacy Guarantees of Location Proximity Services
George Argyros, Theofilos Petsios, Suphannee Sivakorn, Angelos D. Keromytis, and Jason Polakis.
In ACM Transactions on Privacy and Security (TOPS), 19, 4, Article 12 (February 2017) – (formerly TISSEC).

Exploiting abused trending topics to identify spam campaigns in Twitter
Despoina Antonakaki, Iasonas Polakis, Elias Athanasopoulos, Paraskevi Fragopoulou, and Sotiris Ioannidis.
In Social Network Analysis and Mining 2016, 6(1).

Technical Reports

Where's Wally? Precise User Discovery Attacks in Location Proximity Services
Iasonas Polakis, George Argyros, Theofilos Petsios, Suphannee Sivakorn, Angelos D. Keromytis.
Technical Report CUCS-012-15, Dept. of Computer Science, Columbia University, August 2015. [PDF]

Digital is Calling the Analog: Robust Prevention of Dial Attacks
Alexandros Kapravelos, Iasonas Polakis, Elias Athanasopoulos, Sotiris Ioannidis, and Evangelos P. Markatos.
Technical Report 399. FORTH, October 2009. [PDF]

Articles, Books, Posters

Honeypot Technologies - PenTest Magazine
Iasonas Polakis and Spiros Antonatos, September 2012.

The Red Book: A Roadmap for Systems Security Research
Evangelos Markatos and Davide Balzarotti (editors).
Available on: http://red-book.eu. The SysSec Consortium, August 2013.

(POSTER) Dynamic Monitoring of Dark IP Address Space
Iasonas Polakis, Georgios Kontaxis, Sotiris Ioannidis, and Evangelos P. Markatos
In Proceedings of the 3rd COST TMA International Workshop on Traffic Monitoring and Analysis (TMA)
April 2011, Vienna, Austria. [PDF, BibTex]