When I'm not making things, I like breaking things (responsibly). Here
are some things that I've broken with permission, in no particular
Environment Variable Leak
Found a vulnerability in the npm internal API that leaked environment
variables, including API keys and database passwords (I shit you not,
their Redis password used to be
on certain requests.
Angular statements put into meeting chat were not properly escaped,
and executed on all clients whether they had the chat open or not. This
HTML not escaped properly in Glossary and Updates views from the Translate
viewing a certain translation.
Cross-Site Scripting/Form Validator Bypass
When updating a user's profile, one could send arbitrary data to the
server in the name fields, and that is later shown on the website
but isn't escaped, so you could put anything you want in there. It is
also shown and effective in the teacher's dashboard, so a student could
technically just XSS a teacher.
A certain exploit allows a student to gain access to the teacher dashboard,
and do everything a teacher can do (enable tests/quizzes, view student
scores, add/delete/edit students and classes, etc.) This is obviously
An exploit in how wallpapers on Unified Workspace works allows a user
loading the workspace dashboard, and is then evaluated in a script.