Why Nominated: Under Ben Herzberg’s leadership, Imperva’s threat research team has uncovered key vulnerabilities in Facebook, Google Photos, Drupal and other online services and platforms.
Profile: Herzberg and his Imperva research team are charged with identifying and evaluating software flaws that undermine application and data security. In November 2018, Imperva disclosed a significant Facebook vulnerability that could have allowed hackers to extract private information about users and their contacts – including their likes, location and interests – by manipulating the graph search function to craft malicious search queries.
This tactic works because it abuses the unique cross-origin behavior of iframes, which at the time of discovery represented an entirely new attack vector. Then, in March 2019, Herzberg and company found that the same attack technique could also be leveraged to find out exactly who people were conversing with on Facebook Messenger. Facebook ultimately fixed both vulnerabilities.
Under Herzberg, Imperva also pinpointed a vulnerability in Google Photos that allowed hackers to track users’ locations, via side-channel attacks. Essentially, the service’s search endpoint was vulnerable to browser-based timing attacks that could be used to determine where, when and with whom a targeted individual’s photos were taken. Google fixed this flaw as well.
Other vulnerabilities found under Herzberg’s watch include one in the Docker API that attackers had exploited as a zero-day to mine cryptocurrency for financial benefit, a DoS bug in Scapy, an exploited Drupal RCE bug, and DirtyCOW and Drupalgeddon2 vulnerabilities combined with system misconfigurations that leave Drupal web servers vulnerable. The Imperva research team also recently published its “State of Web Application Vulnerabilities” report, which found that web application flaws increased in frequency by 21 percent in 2018 (compared to 2017).
What colleagues say: “Ben is a tremendous threat researcher, leader and colleague who excels at every task he tackles. Not only does he have impressive problem-solving skills and technical skills, including hacking and programming, but he also has excellent interpersonal skills that make him a very strong people leader… When there is a complex problem that people “break” their heads to solve, Ben can somehow think differently and find a solution that no one thought of. This outside-the-box mindset combined with his unique range of skills allows him to regularly identify critical new vulnerabilities in some of the world’s leading platforms.” – – Unattributed testimonial