About Me

Product Manager at Roblox

Web security enthusiast

Avid dodgeball player

Profiles

Twitter
GitHub
LinkedIn
Medium

Posts

Projects

Vulnerability Disclosures

2016-09-28
Detecting Player Robux Balances
2016-09-15
CSRF in sending two-step verification message
2016-08-16
CSRF in group endpoints
2015-09-06
Injecting Lua code into game servers via Player.CharacterAppearance
2015-08-03
ContentProvider vulnerable to path traversal attacks
2015-07-23
Using unmoderated game assets via asset handler
2015-07-15
CSRF in uploading assets
2014-11-19
Game server fork bomb
2014-11-17
Stealing a player's games
2014-11-17
Injecting Lua code into game servers using CreatePlaceInPlayerInventoryAsync
2014-11-10
Personal information disclosure via console
2014-11-10
Stealing a player's virtual currency
2014-08-29
Using unmoderated game assets
2014-08-29
Bypassing HttpService's rate limits
2014-08-26
Bypassing MAC address bans
2014-07-14
CSRF in changing group member ranks
2014-06-14
CSRF in email verification page
2014-06-11
Changing any user's birthdate or chat privacy setting
2014-05-04
Overwriting local files from Studio plugins
2014-04-16
CSRF in friend endpoints
2014-04-12
Reflected XSS in outdated JavaScript library
2014-03-06
Stealing the game server authentication key
2014-03-05
Creating a clan for any group
2014-03-01
Using unmoderated game assets
2014-02-21
Stealing the source of server scripts via HopperBins II
2014-02-07
Stealing a user's Robux from a Studio plugin
2014-02-07
Stealing the source of server scripts via HopperBins I
2013-10-22
Session hijacking in Studio
2013-07-31
CSRF in mobile site endpoints
2013-07-17
Unthrottled login endpoint
2013-07-16
Injecting Lua code into game servers using an unvalidated redirect and Player.CharacterAppearance
2013-07-16
Injecting Lua code into game client via querystring injection
2013-06-29
CSRF in reporting MAC addresses
2013-06-27
Uploading Luas as any user
2012-10-05
Persistent XSS in group admin page
2012-08-14
Persistent XSS in Studio's toolbox
2012-08-07
CSRF on sets page
2012-07-27
Fetch information from third-party website by bypassing filter
1970-01-01
Detecting the existence of local files using path traversal
1970-01-01
CSRF in activating and deactivating places
1970-01-01
Internal development web page was public-facing