Derin Eryilmaz

My job

None! I'm a student living in the US.

My Chromium security research

I've filed dozens of bug reports for the Chromium; My research is mostly focused on Chrome extension APIs and runtime.

My best find is an InfoLeak + XSS that allows Chrome Extensions to edit local files on ChromeOS and run commands in its Linux container. The writeup can be found on my blog.

I currently stand at around 180th on the Google Hall of Fame, which sounds a lot more impressive than it actually is.

Times I've been mentioned by Google:

Chrome 115.0.5790.170 release (August 2, 2023)
ChromeOS 116.0.5845.120 release (August 25, 2023)

My third-party security research

My Chrome extension research includes third-party extensions on the Web Store.

I've found four XSS bugs in extensions that allow for full information leakage and cross-site-scripting (UXSS) within Chrome.

The GoGuardian extension (allegedly 25 million users)
Securly's student extension (allegedly 8 million users)
Blocksi Enterprise Edition (200k+ users)
Diigo Web Collector (200k+ users)

These bugs were responsibly disclosed to the respective extension developers.

My future security research

I started learning C++ in the summer of 2023. Once I get more familiar with reading it, I hope to better understand the "big picture" of Chromium and find better bugs.

Derin Eryılmaz