Sohom Datta | North Carolina State University

About Me

I am a recent grad, a software developer and cybersecurity enthusiast. I tend to gravitate towards topics such as web security, systems security and privacy measurement.

In the formative years of my undergraduate degree, I have had the opportunity of gaining practical experience, working as a open-source developer and maintainer for projects such as ProofreadPage and VideoCutTool at the Wikimedia Foundation, as well as interning at Chromium during 2022, where I worked on a project aimed at increasing Chromium’s coverage of the Performance API specification.

More recently, I have been involved in cybersecurity adjacent projects, acting as subsystem head specializing in web and binary security at my college cybersecurity team (ranked amongst the top 10 in India in CTFTime during 2023) as well as being chosen for a undergraduate research assistantship advised by Nisha P. Shetty.

Towards the start of 2023, I had the privilege of working as a Research intern at the Wolfpack Security and Privacy Research Lab working on improving the tooling around VisibleV8, a modified version of the Chrome browser that facilitates research into malicious and/or privacy infringing javascript on the web. In October 2023, I worked as a Visiting Researcher at the Max Planck Institute of Security and Privacy, Bochum, where I pursued a project exploring the feasibility of fuzzing race-conditions in web-server application logic.

Since February 2023, I have taken up a position as a research scholar at the Wolfpack Security and Privacy Research Lab (again!) and will be working with Dr Alexandros Kapravelos’s group to investigate Javascript techniques used in fingerprinting and other privacy compromising contexts. I am also in the process og transitioning to a PhD position at the same lab.

Reported vulnerabilities/bugs

Found and fixed a cross-site scripting exploit in the PageTriage extension deployed on English Wikipedia CVE-2024-23174
Awarded 5000 USD for finding a mechanism to reliably leak a user’s browsing history via a experimental origin-trial web feature in Google Chrome 116. https://crbug.com/1457049
Awarded 7500 USD for discovering a XSS sanitation deficiency in the Golang html/template library. CVE-2023-24538
Awarded 3133.7 USD for discovering authentication bypasses in the dart:core URI parsing module in Dart-lang by the Google Vulnerability Rewards Program in 2022 CVE-2022-3095
Awarded 3133.7 USD for discovering a URL validation bypass in Google’s Clojure library by the Google Vulnerability Rewards Program in 2021.
Found and reported security/privacy issues in Google Chrome and Firefox’s implementation of the ResourceTiming API. CVE-2022-1146, CVE-2022-29915
Found and reported a high severity Denial-of-service attack against the popular jpeg-js javascript library to snyk.io. [CVE-2022-25851]
Use-after-free in sudo-project/sudo (cvtsudoers) Github issue#198

Publications

Shetty, Nisha P.; Muniyal, Balachandra; Dokania, Akshat; Datta, Sohom; Gandluri, Manas Subramanyam; Maben, Leander Melroy; Priyanshu, Aman (2023-09-28). “Guarding Your Social Circle: Strategies to Protect Key Connections and Edge Importance”. Security and Communication Networks. 2023: e2548962. doi:10.1155/2023/2548962. ISSN 1939-0114

Hobbies

When I’m not tinkering with tech, I like to spend my time doing photography and writing about indian and computer security topics at Wikimedia. I have a instagram where I infrequently post cool pictures that I might have taken.

All pictures released by me on social media should be considered to be under CC-BY-SA 3.0 unless noted otherwise. This means that you should provide attribution if you plan to use the pictures anywhere other than for your own personal use.