In mid-May, Yinzhi Cao, an associate professor in the Whiting School of Engineering’s Department of Computer Science and the technical director of the Johns Hopkins University Information Security Institute, was recognized for his achievements and contributions to the field at the 46th IEEE Symposium on Security and Privacy.

Yinzhi Cao.

One of his papers, “Follow My Flow: Unveiling Client-Side Prototype Pollution Gadgets from One Million Real-World Websites,” received a Distinguished Paper Award. Cao worked on this research with Zifeng Kang, Engr ’25 (PhD), Muxi Lyu, Engr ’25 (BS/MS), and Zhengyu Liu and Jianjia Yu, both PhD students in the Department of Computer Science. He also worked with collaborators at Zhejiang University in China including Song Li, Engr ’22 (PhD).

The paper shares the team’s research on pollution vulnerability, or when malicious actors manipulate properties in JavaScript that impact other objects in the environment. The research team designed a dynamic analysis framework called GALA to automatically detect prototype pollution gadgets on real-world websites. The GALA framework was evaluated against one million websites and found that there were 133 zero-day gadgets that were not found by previous frameworks.

“Our research finds that prototype pollution can lead to many severe consequences, such as cross-site scripting and cookie manipulation. One of our gadget chains exists in Meta’s software; they gave us a bug bounty for finding the vulnerability, and then fixed it immediately,” explains Cao. “We hope that future vendors can take such vulnerabilities, particularly prototype pollution gadget chains, seriously for immediate patches.”

A second paper of Cao’s—work he conducted a decade ago with his postdoctoral advisor—was awarded a Test of Time award; this award recognizes past publications that are still relevant, useful, and impactful within security and privacy. The paper, “Towards Making Systems Forget with Machine Unlearning,” presented an efficient approach to making learning systems forget, or “unlearn,” information, data, or lineages.

“I am pleased that the Test of Time Award committee recognized the importance of this work on machine unlearning. Since we first proposed the concept back in 2015, machine unlearning has become a blooming research field, attracting many researchers to work on it,” says Cao.