Projects

Catalog Heaven - Freely customize your Roblox avatar and battle with others
proxy.lua - Control Lua object access with pure Lua
zoom-cli - Change Zoom virtual backgrounds from the command line
node-postback - Perform ASP.NET postbacks in Node.js
bio-media-builds - Create and preserve digital representations of buildable models in BIONICLE media
Roblox File Converter - Convert Roblox binary model files to Roblox XML in the browser
RBX Catalog Notifier - Be alerted when Roblox releases new virtual items on your Android phone
Roblox Item Notifier - Be alerted when Roblox releases new virtual items in your Chrome browser
Roblox Upload Enhancer - Bulk upload images to Roblox
Roblox Global Variable Enumerator - Discover global variables in Roblox's Lua environment
Live Update Plugin - Rapidly develop your Roblox game through instant reload after publishing
Roblox Forum Post Tabber - Automatically indent Roblox forum post drafts in your Chrome browaser
Roblox Canned Responses - Reuse responses to private messages in your Chrome browser

Vulnerability Disclosures

2016-09-28 Detecting Player Robux Balances
2016-09-15 CSRF in sending two-step verification message
2016-08-16 CSRF in group endpoints
2015-09-06 Injecting Lua code into game servers via Player.CharacterAppearance
2015-08-13 Detecting the existence of local files using path traversal
2015-08-03 ContentProvider vulnerable to path traversal attacks
2015-07-23 Using unmoderated game assets via asset handler
2015-07-15 CSRF in uploading assets
2014-11-19 Game server fork bomb
2014-11-17 Stealing a player's games
2014-11-17 Injecting Lua code into game servers using CreatePlaceInPlayerInventoryAsync
2014-11-10 Personal information disclosure via console
2014-11-10 Stealing a player's virtual currency
2014-08-29 Using unmoderated game assets
2014-08-29 Bypassing HttpService's rate limits
2014-08-26 Bypassing MAC address bans
2014-07-14 CSRF in changing group member ranks
2014-06-14 CSRF in email verification page
2014-06-11 Changing any user's birthdate or chat privacy setting
2014-05-04 Overwriting local files from Studio plugins
2014-04-16 CSRF in friend endpoints
2014-04-12 Reflected XSS in outdated JavaScript library
2014-03-06 Stealing the game server authentication key
2014-03-05 Creating a clan for any group
2014-03-01 Using unmoderated game assets
2014-02-21 Stealing the source of server scripts via HopperBins II
2014-02-07 Stealing a user's Robux from a Studio plugin
2014-02-07 Stealing the source of server scripts via HopperBins I
2013-10-22 Session hijacking in Studio
2013-07-31 CSRF in mobile site endpoints
2013-07-17 Unthrottled login endpoint
2013-07-16 Injecting Lua code into game servers using an unvalidated redirect and Player.CharacterAppearance
2013-07-16 Injecting Lua code into game client via querystring injection
2013-06-29 CSRF in reporting MAC addresses
2013-06-27 Uploading Luas as any user
2012-10-05 Persistent XSS in group admin page
2012-08-14 Persistent XSS in Studio's toolbox
2012-08-07 CSRF on sets page
2012-07-27 Fetch information from third-party website by bypassing filter

Matthew Dean

Posts

Projects

Talks

Recommendations

Vulnerability Disclosures