Elie Bursztein

From Wikipedia, the free encyclopedia

Elie Bursztein
Elie Bursztein.jpg
Elie Bursztein
Born1980 (age 42–43)
Known for
Scientific career
ThesisAnticipation games: Game theory applied to network security (2008)
Doctoral advisorJean Goubault-Larrecq

Elie Bursztein,[r 1] born 1 June 1980 in France, is a French computer scientist and software engineer. He currently leads Google’s Security and Anti-Abuse Research Team.

Education and early career[edit]

Bursztein obtained a computer engineering degree from EPITA in 2004, a master’s degree in computer science from Paris Diderot University/ENS in 2005, and a PhD in computer science from École normale supérieure Paris-Saclay in 2008 with a dissertation titled Anticipation games: Game theory applied to network security. His PhD advisor was Jean Goubault-Larrecq.

Before joining Google, Bursztein was a post-doctoral fellow at Stanford University's Security Laboratory, where he collaborated with Dan Boneh and John Mitchell on web security,[p 1][p 2] game security,[p 3][p 4] and applied cryptographic research.[p 5] His work at Stanford University included the first cryptanalysis of the inner workings of Microsoft’s DPAPI (Data Protection Application Programming Interface),[p 6] the first evaluation of the effectiveness of private browsing,[p 7][r 2] and many advances to CAPTCHA security[p 8][p 9][p 10] and usability.[p 11]

Bursztein has discovered, reported, and helped fix hundreds of vulnerabilities, including securing Twitter’s frame-busting code,[r 3] exploiting Microsoft's location service to track the position of mobile devices,[r 4] and exploiting the lack of proper encryption in the Apple App Store to steal user passwords and install unwanted applications.[r 5]

Career at Google[edit]

Bursztein joined Google in 2012 as a research scientist. He founded the Anti-Abuse Research Team in 2014 and became the lead of the Security and Anti-Abuse Research Team in 2017.[r 6] Bursztein's notable contributions at Google include:

  • 2020 Developing a deep-learning engine that helps to block malicious documents targeting Gmail users.[p 12]
  • 2019 Developing a password-checking service[r 7] that has allowed hundreds of millions of users[r 8] to check whether their credentials have been stolen in a data breach while preserving their privacy.[p 13]
  • 2019 Developing a Keras tuner that became the default hypertuner for TensorFlow[r 9] and TFX.[r 10]
  • 2018 Conducting the first large-scale study on the illegal online distribution of child sexual abuse material in partnership with NCMEC.[p 14]
  • 2017 Finding the 1st SHA-1 full collision.[p 15][r 11]
  • 2015 Deprecating security questions at Google after completing the first large in-the-wild study on the effectiveness of security questions,[p 16] which showed that they were both insecure and had a very low recall rate.[r 12][r 13]
  • 2014 Redesigning Google CAPTCHA to make it easier for humans, resulting in a 6.7% improvement in the pass rate.[p 17]
  • 2013 Strengthening Google accounts protections against hijackers[p 18] and fake accounts.[p 19]

Awards and honors[edit]

Best academic papers awards[edit]

  • 2021 USENIX Security distinguished paper award [r 14] for "Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns[p 20]
  • Bursztein 2019 USENIX Security distinguished paper award [r 14] for Protecting accounts from credential stuffing with password breach alerting[p 13]
  • 2019 CHI best paper award[r 15] for “They don’t leave us alone anywhere we go”: Gender and digital abuse in South Asia[p 21]
  • 2017 Crypto best paper award[r 16] for The first collision for full SHA-1[p 15]
  • 2015 WWW best student paper award[r 17] for Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at Google[p 16][r 13]
  • 2015 S&P Distinguished Practical Paper award[r 18] for Ad Injection at Scale: Assessing Deceptive Advertisement Modifications[p 22][r 19]
  • 2011 S&P best student paper award[r 20] for OpenConflict: Preventing real time map hacks in online games[p 3]
  • 2008 WISPT best paper award for Probabilistic protocol identification for hard to classify protocol[p 23]

Industry awards[edit]

  • 2019 Recognized as one of the 100 most influential French people in cybersecurity[r 21]
  • 2017 BlackHat Pwnie award for the first practical SHA-1 collision[r 22]
  • 2015 IRTF Applied Networking Research Prize [r 23] for Neither snow nor rain nor MITM … An empirical analysis of email delivery security[p 24]
  • 2010 Top 10 Web Hacking Techniques for Attacking HTTPS with cache injection[r 24][p 25]


Bursztein is an accomplished magician and posted magic tricks weekly on Instagram during the 2019 pandemic.[r 25]

In 2014, following his talk on hacking Hearthstone using machine learning,[p 26] he decided not to make his prediction tool open source, because of the Hearthstone’s community disappointment and at Blizzard Entertainment’s request.[r 26]

Selected publications[edit]

  1. ^ H. Bojinov; E. Bursztein; D. Boneh (2009). XCS: cross channel scripting and its impact on web applications. CCS'09 - SIGSAC conference on Computer and communications security. ACM. pp. 420–431.
  2. ^ G. Rydstedt; E. Bursztein; D. Boneh; C. Jackson (2010). Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular sites. 3rd Web 2.0 Security and Privacy workshop. IEEE.
  3. ^ a b E. Bursztein; M. Hamburg; J. Lagarenne; D. Boneh (2011). OpenConflict: Preventing Real Time Map Hacks in Online Games. S&P'11 - Symposium on Security and Privacy. IEEE.
  4. ^ E. Bursztein; J. Lagarenne (2010). Kartograph. DEF CON 18. Defcon.
  5. ^ Bursztein, Elie; Picod, Jean Michel (2010). Recovering Windows secrets and EFS certificates offline. WoOT 2010. Usenix.
  6. ^ J. M. Picod; E. Bursztein (2010). Reversing DPAPI and Stealing Windows Secrets Offline. Blackhat.
  7. ^ Aggarwal, Gaurav; Bursztein, Elie; Collin, Jackson; Boneh, Dan (2010). An Analysis of Private Browsing Modes in Modern Browsers. 19th Usenix Security Symposium. Usenix.
  8. ^ E. Bursztein; R. Beauxis; H.Paskov; D. Perito; C. Fabry; J. C. Mitchell (2011). The failure of noise-based non-continuous audio captchas. S&P'11 - Symposium on Security and Privacy. IEEE. pp. 19–31. doi:10.1109/SP.2011.14.
  9. ^ E. Bursztein; M. Martin; J. C. Mitchell (2011). Text-based captcha strengths and weaknesses. CCS. ACM.
  10. ^ E. Bursztein; J. Aigrain; A. Mosciki; J. C. Mitchell (2014). The end is nigh: generic solving of text-based CAPTCHAs. WoOT'14 - Workshop On Offensive Technology. Usenix.
  11. ^ E. Bursztein; S. Bethard; C. Fabry; D. Jurafsky; J. C. Mitchell (2010). How Good are Humans at Solving CAPTCHAs? A Large Scale Evaluation. Symposium on Security and Privacy (S&P), 2010. IEEE. pp. 399–413. doi:10.1109/SP.2010.31.
  12. ^ Bursztein, Elie (2020). Malicious Documents Emerging Trends: A Gmail Perspective. RSA 2020. RSA.
  13. ^ a b Thomas, Kurt; Jennifer, Pullman; Kevin, Yeo; Raghunathan, Ananth; Gage Kelley, Patrick; Invernizzi, Luca; Benko, Borbala; Pietraszek, Tadek; Patel, Sarvar; Boneh, Dan; Bursztein, Elie (2019). Protecting accounts from credential stuffing with password breach alerting. Usenix Security'19. Usenix.
  14. ^ Bursztein, Elie; Bright, Travis; DeLaune, Michelle; Eliff, David; Hsu, Nick; Olson, Lindsey; Shehan, John; Thakur, Madhukar; Thomas, Kurt (2019). Rethinking the detection of child sexual abuse imagery on the Internet. Proceedings of the International Conference on World Wide Web. WWW.
  15. ^ a b Stevens, Marc; Bursztein, Elie; Karpman, Pierre; Albertini, Ange; Markov, Yarik (2017). The first collision for full SHA-1. Crypto'17. IACR.
  16. ^ a b J Bonneau; E Bursztein; I Caron; R Jackson; M Williamson (2015). Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at Google. WWW'15 - International Conference on World Wide Web. World Wide Web.
  17. ^ E. Bursztein; A. Moscicki; C. Fabry; S. Bethard; J. C. Mitchell; D. Jurafsky (2014). Easy does it: More usable captchas. CHI'14 - SIGCHI Conference on Human Factors in Computing Systems. ACM. pp. 2637–2646. doi:10.1145/2556288.2557322.
  18. ^ E. Bursztein; B. Benko; D. Margolis; T. Pietraszek; A. Archer; A. Aquino; A. Pitsillidis; S. Savage (2014). Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild. IMC '14 - Conference on Internet Measurement Conference. ACM. pp. 347–358. doi:10.1145/2663716.2663749.
  19. ^ K. Thomas; D. Iatskiv; E. Bursztein; T. Pietraszek; C. Grier; D. McCoy (2014). Dialing Back Abuse on Phone Verified Accounts. CCS '14 - SIGSAC Conference on Computer and Communications Security. ACM. pp. 465–476. doi:10.1145/2660267.2660321.
  20. ^ Consolvo, Sunny; Gage Kelley, Patrick; Matthews, Tara; Thomas, Kurt; Dunn, Lee; Bursztein, Elie (2021). "Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns. Usenix Security 2021. Usenix.
  21. ^ Sambasivan, Nithya; Batool, Amna; Ahmed, Nova; Matthews, Tara; Thomas, Kurt; Sanely Gaytán-Lugo, Laura; Nemer, David; Bursztein, Elie; Elizabeth, Churchill; Consolvo, Sunny (2019). They Don't Leave Us Alone Anywhere We Go - Gender and Digital Abuse in South Asia. CHI Conference on Human Factors in Computing Systems. ACM.
  22. ^ K. Thomas; E. Bursztein; C. Grier; G. Ho; N. Jagpal; A. Kapravelos; D. McCoy; A. Nappa; V. Paxson; P. Pearce; N. Provos; M. A. Rajab (2015). Ad injection at scale: Assessing deceptive advertisement modifications. S&P'15 - Symposium on Security and Privacy. IEEE.
  23. ^ E. Bursztein (2008). Probabilistic Protocol Identification for Hard to Classify Protocol. Information Security Theory and Practices. Smart Devices, Convergence and Next Generation Networks. Springer. pp. 49–63. doi:10.1007/978-3-540-79966-5_4.
  24. ^ Z. Durumeric; D. Adrian; A. Mirian; J. Kasten; E. Bursztein; N. Lidzborski; K. Thomas; V. Eranti; M. Bailey; J. A. Halderman (2015). Neither snow nor rain nor mitm... an empirical analysis of email delivery security. Internet Measurement Conference. ACM.
  25. ^ E. Bursztein; B. Gourdin; D. Boneh (2009). Bad memories. Blackhat USA 2010. Blackhat.
  26. ^ E. Bursztein; C. Bursztein (2014). I am a legend: hacking hearthstone with machine learning. DEF CON 22. DEF CON.


  1. ^ Elie Bursztein. "Elie Bursztein's personal site". Retrieved 4 April 2021.
  2. ^ Ward, Mark (6 August 2010). "Private browsing modes leak data". BBC News. London.
  3. ^ "Twitter Security Contributors List". Archived from the original on 18 February 2011.
  4. ^ McCullagh, Declan (29 July 2011). "Stanford researcher exposes Microsoft's Wi-Fi database". CNET.
  5. ^ Honorof, Marshall (11 March 2013). "Apple Fixes App Store Security Risk". NBC News.
  6. ^ "Security, Privacy and Abuse research at Google". Retrieved 4 November 2020.
  7. ^ Andreas Tuerk (2 October 2020). "To stay secure online, Password Checkup has your back". Google. Retrieved 28 May 2021.
  8. ^ Kelly Earley (20 June 2020). "Sundar Pichai announces new Google privacy features". Silicon Republic. Retrieved 28 May 2021.
  9. ^ Tensorflow. "Introduction to the Keras Tuner". Tensorflow. Retrieved 28 May 2021.
  10. ^ Tensorflow. "The Tuner TFX Pipeline Component". Tensorflow. Retrieved 28 May 2021.
  11. ^ Brandom, Russell (22 February 2017). "Google just cracked one of the building blocks of web encryption". The Verge.
  12. ^ Beres, Damon (5 May 2015). "Your Password Security Questions Are Terrible, And They're Not Fooling Anyone". Huffington Post.
  13. ^ a b Victor Luckerson. "Stop Using This Painfully Obvious Answer For Your Security Questions". Time. Retrieved 15 June 2015.
  14. ^ a b Usenix. "Usenix best papers". Usenix. Retrieved 15 August 2021.
  15. ^ CHI. "CHI'19 best papers list". ACM. Retrieved 15 January 2020.
  16. ^ ICAR. "CRYPTO best papers list". ICAR. Retrieved 15 January 2020.
  17. ^ "WWW - World Wide Web conference 2015 award list". WWW. Retrieved 15 June 2015.
  18. ^ "S&P - Security And Privacy Symposium 2015 award list". IEEE. Retrieved 15 June 2015.
  19. ^ Russell Brandom. "Google survey finds more than five million users infected with adware". The Verge. Retrieved 15 June 2015.
  20. ^ "S&P - Security And Privacy Symposium 2011 award list". IEEE. Retrieved 15 June 2015.
  21. ^ L'usine nouvelle. "Qui sont les 100 Français qui comptent dans la cybersécurité". L'usine nouvelle. Retrieved 5 November 2020.
  22. ^ Pwnie Awards Committee (July 2017). "Best Cryptographic Attack Pwnie Awards". Black Hat.
  23. ^ IRTF. "Applied Networking Research Prize Winners". IRTF. Retrieved 5 November 2020.
  24. ^ Grossman, Jeremiah. "Top Ten Web Hacking Techniques of 2010 (Official)".
  25. ^ Elie Busztein. "Elie Bursztein magic tricks on Instagram". Instagram. Retrieved 28 May 2021.
  26. ^ Bursztein, Elie. "I am a legend: Hacking Hearthstone with machine-learning Defcon talk wrap-up".

External links[edit]