Hello, I'm a developer.
netsec noob.
human being named TJ.

Nice to meet you.

About Me

My name is TJ, and I'm a 16-year-old developer. And this is my website! I'm listening to nothing by nobody right now.


Some handy links you may want: Twitter // Blog // Telegram // GitHub


I am an Intern in Software Engineering at srnd.org, the non-profit behind fun events like CodeDay and CodeBreak. I help make software such as CodeDay Clear, CodeDay Showcase, and more. See our open source site for a list of projects I've probably touched.

Not only do I work on projects at srnd.org, but I have many personal projects listed below (and on GitHub). So check them out as well :)

My Work

Some stuff I've worked on over the years. These are only a few of my projects; you can find all the rest on GitHub.

CodeDay Companion: A native Android app written in Kotlin to provide useful and contextually relevant information (such as upcoming event activities and announcements from the organizers) to CodeDay attendees before, during, and after the event. Source code will be released eventually.

MakerBot WebUI: A Node.js web app that acts as a MakerBot 3D printer controller. It's targeted toward public spaces such as college campuses or makerspaces that have public 3D printers. It lets users sign up on their own and queue their own prints. Basically, it eliminates the need for someone onsite to manually queue prints.

node-makerbot-rpc: A node module that communicates with MakerBot 3D printers via JSON-RPC. Supports things like uploading print files and basic functionality. Useful for automation. Also used in the MakerBot WebUI project :)

ExpressPoll 5000 Hacking: Some security research regarding the ExpressPoll 5000 done at DEF CON 25. Received some press coverage as well:


In my free time, I like poking websites for security vulnerabilities. And, of course, I disclose them responsibly. Here's what I've found.

Environment Variable Leak on npm: Found a vulnerability in the npm internal API that leaked environment variables, including API keys and database passwords (Seriously, their Redis password used to be this-is-a-password-for-redis-and-it-is-a-secret-so-dont-share-it), on certain requests.

Cross-Site-Scripting on GoToMeeting: Angular statements put into meeting chat were not properly escaped, and executed on all clients whether they had the chat open or not. This allowed an attacker to execute arbitrary JavaScript on all clients in the meeting.

Cross-Site-Scripting on Transifex: HTML not escaped properly in Glossary and Updates views from the Translate page, allowing an attacker to execute arbitrary JavaScript on a client viewing a certain translation.

Cross-Site Scripting and Privilege Escalation on Big History Project: When updating a user's profile, one could send arbitrary data to the server in the name fields, and that is later shown on the website but isn't escaped, so you could put anything you want in there. It is also shown and effective in the teacher's dashboard, so a student could technically just XSS a teacher.

A certain exploit allows a student to gain access to the teacher dashboard, and do everything a teacher can do (enable tests/quizzes, view student scores, add/delete/edit students and classes, etc.) This is obviously really bad.

Cross-Site-Scripting on Lenovo Unified Workspace: An exploit in how wallpapers on Unified Workspace works allows a user to input arbitrary JavaScript, which is later not escaped properly when loading the workspace dashboard, and is then evaluated in a script.

This website is © TJ Horner 2017 yeah yeah whatever you get it