Alec Maly's Tech Blog

Alec Maly's Tech BlogAlec Maly's software and cybersecurity tech blog.https://alecmaly.com/Hasbro | MTG Arena: TextMeshPro injection via. WOTC DisplayName = 100% win rate against Desktop and iPad opponentshttps://alecmaly.com/blog/2025/11/26/MTG-Arena-TextMeshPro-Injection/https://alecmaly.com/blog/2025/11/26/MTG-Arena-TextMeshPro-Injection/TextMeshPro markup injection leads to whited out screen.Wed, 26 Nov 2025 00:00:00 GMTExploiting Cooke Based Self-XSShttps://alecmaly.com/blog/2025/07/16/Exploiting-Cookie-Based-Self-XSS/https://alecmaly.com/blog/2025/07/16/Exploiting-Cookie-Based-Self-XSS/A mildly interesting self-xss with some additional security content & best practices worth reviewing.Wed, 16 Jul 2025 00:00:00 GMTResolving Undocumented AWS Codebuild Errors and Discussing CI/CD GitHub Integration Securityhttps://alecmaly.com/blog/2025/06/17/Resolving-Undocumented-AWS-Codebuild-Errors-and-Discussing-CICD-GitHub-Integration-Security/https://alecmaly.com/blog/2025/06/17/Resolving-Undocumented-AWS-Codebuild-Errors-and-Discussing-CICD-GitHub-Integration-Security/Resolving an undocumented AWS Codebuild error and describing GitHub App integration security considerations.Tue, 17 Jun 2025 00:00:00 GMT[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivotinghttps://alecmaly.com/blog/2024/02/29/M365-Phish-Power-Platform-Pivoting-and-Privilege-Escalation/https://alecmaly.com/blog/2024/02/29/M365-Phish-Power-Platform-Pivoting-and-Privilege-Escalation/Exploring the M365 Power Platform as a means of privilege escalation and flexing control over a phishing victim's SharePoint, OneDrive, Outlook, and Microsoft Teams data. Thu, 29 Feb 2024 00:00:00 GMT[$1250 - High Severity] Bypassing Brower Extension's Geolocation Spoofing with a Malicious Website (Location Guard & ExpressVPN)https://alecmaly.com/blog/2023/08/28/Bypassing-Browser-Extensions-Geolocation-spoofing-to-Disclose-Physical-Location/https://alecmaly.com/blog/2023/08/28/Bypassing-Browser-Extensions-Geolocation-spoofing-to-Disclose-Physical-Location/Bypassing the spoof geolocation feature in browser extensions to disclose the physical location of a user. I share two high severity bugs. Bug 1 is a generic payload that works across multiple extensions, and bug 2 is an ExpressVPN specific payload that has been patched. This post is a case study with the Location Guard & ExpressVPN extensions, my bug bounty experience, and a few takeaways that may prove insightful for others.Mon, 28 Aug 2023 00:00:00 GMTOptimizing Multi-Destination Routes with Google Maps and a Chrome Extensionhttps://alecmaly.com/blog/2022/11/07/Optimizing-Multi-Destination-Routes-with-Google-Maps-and-a-Chrome-Extension/https://alecmaly.com/blog/2022/11/07/Optimizing-Multi-Destination-Routes-with-Google-Maps-and-a-Chrome-Extension/Finding the best route between multiple destinations in Google Maps or other tools can be frustrating. I have created a bespoke Chromium browser extension to help calculate a relatively optimal multi-destination travel route. Usage: Install the extension, navigate to https://maps.google.com, and use the tool.Mon, 07 Nov 2022 00:00:00 GMTM365 Internal Phish: Abusing the Power Platform for SharePoint/OneDrive Privilege Escalationhttps://alecmaly.com/blog/2022/05/13/Abusing-SharePoint-and-OneDrive-Permissions-with-PowerApps-and-Flow/https://alecmaly.com/blog/2022/05/13/Abusing-SharePoint-and-OneDrive-Permissions-with-PowerApps-and-Flow/An internal phishing POC leveraging Microsoft 365 citizen development tools (Power Platform). Phish for access to a target user's OneDrive and all SharePoint sites they own. Fri, 13 May 2022 00:00:00 GMTImage Slicing with Pythonhttps://alecmaly.com/blog/2022/01/25/Image-Slicing-With-Pyhon/https://alecmaly.com/blog/2022/01/25/Image-Slicing-With-Pyhon/Slicing and manipulating images with a Python GUI program using the Pillow and tkinter GUI packages.Tue, 25 Jan 2022 00:00:00 GMTDownload and Sort HackerOne Hacktivity Reports Using GraphQL Introspectionhttps://alecmaly.com/blog/2022/01/12/Download-and-Sort-HackerOne-Hacktivity-Reports-Using-GraphQL-Introspection/https://alecmaly.com/blog/2022/01/12/Download-and-Sort-HackerOne-Hacktivity-Reports-Using-GraphQL-Introspection/HackerOne hacktivity reports can have very useful (and interesting) content for learning how to test real systems for vulnerabilities. Unfortunately, it's impossible to sort on interesting fields such as severity and bounty from within the Hacktivity web UI. The goal of this post is to demonstrate a means of filtering/sorting HackerOne reports in an attempt to find writeups with valuable techniques/methodologies/strategies or other interesting information.Wed, 12 Jan 2022 00:00:00 GMTMy First Wordpress Site: olgastherapy.comhttps://alecmaly.com/blog/2022/01/04/My-First-Wordpress-Site-Olgas-Therapy/https://alecmaly.com/blog/2022/01/04/My-First-Wordpress-Site-Olgas-Therapy/Configuring wordpress and email for a small business by leveraging an always free Oracle cloud VPS, Google Workspace, and an assortment of free/trial tooling.Tue, 04 Jan 2022 00:00:00 GMTGame Hacking: Extracting Meshes to Make a Minimap HUDhttps://alecmaly.com/blog/2021/12/08/Game-Hacking-Extracting-Meshes-to-Make-a-Minimap-HUD/https://alecmaly.com/blog/2021/12/08/Game-Hacking-Extracting-Meshes-to-Make-a-Minimap-HUD/Extracting/ripping game meshes to create a minimap Heads Up Display (HUD) showing player position.Wed, 08 Dec 2021 00:00:00 GMTDebugging a Race Condition Between Microsoft Edge and SharePointhttps://alecmaly.com/blog/2021/11/23/Edge-SharePoint-Debugging-Race-Condition/https://alecmaly.com/blog/2021/11/23/Edge-SharePoint-Debugging-Race-Condition/A random redirect when opening Edge leads to an investigation discovering some interesting behavior between Edge and SharePoint.Tue, 23 Nov 2021 00:00:00 GMTScanning and Hooking Dynamic, Client-Side Data in Modern Web Applicationshttps://alecmaly.com/blog/2021/11/22/Scanning-and-Hooking-Dynamic-Client-Side-Data-in-Modern-Web-Applications/https://alecmaly.com/blog/2021/11/22/Scanning-and-Hooking-Dynamic-Client-Side-Data-in-Modern-Web-Applications/Scanning the DOM for interesting data + hooking getters/setters. Demonstrating POC w/ a PowerApps example.Mon, 22 Nov 2021 00:00:00 GMTFinding Vulnerabilities in an 18 Year Old MMOhttps://alecmaly.com/blog/2021/11/12/Finding-Vulnerabilities-in-an-18-Year-Old-MMO/https://alecmaly.com/blog/2021/11/12/Finding-Vulnerabilities-in-an-18-Year-Old-MMO/Finding and abusing size constrained XSS and a payment gateway bypass in an 18 year old MMO.Fri, 12 Nov 2021 00:00:00 GMTExploring the WinDbg Preview JavaScript APIhttps://alecmaly.com/blog/2021/10/22/Exploring-the-WinDbg-Preview-JavaScript-API/https://alecmaly.com/blog/2021/10/22/Exploring-the-WinDbg-Preview-JavaScript-API/Trying to recreate the x32dbg/x64dbg stacktrace and dereferencing features in WinDbg Preview by leveraging its JavaScript API. Additionally, playing with Time Travel Debugging (TTD) and inspecting memory on the heap. POC included.Fri, 22 Oct 2021 00:00:00 GMTHacking Electron Apps: Joplinhttps://alecmaly.com/blog/2021/10/12/Hacking-Electron-Apps-Joplin/https://alecmaly.com/blog/2021/10/12/Hacking-Electron-Apps-Joplin/Adding custom functionality to the Joplin note-taking app by injecting arbitrary JavaScript into source code. POC included.Tue, 12 Oct 2021 00:00:00 GMTAdventures in Open Source Contributing: Joplinhttps://alecmaly.com/blog/2021/10/11/Adventures-in-open-source-contributing-Joplin/https://alecmaly.com/blog/2021/10/11/Adventures-in-open-source-contributing-Joplin/Fixing a bug in open source software leads to diagnosing a systemic unit testing bug.Mon, 11 Oct 2021 00:00:00 GMTAndroid Hacking Tips and Tricks with Frida & BurpSuitehttps://alecmaly.com/blog/2021/10/10/Android-Hacking-Tips-and-Tricks-with-Frida-and-BurpSuite/https://alecmaly.com/blog/2021/10/10/Android-Hacking-Tips-and-Tricks-with-Frida-and-BurpSuite/Learning by modifying an android .apk, intercepting + decrypting network traffic, and poking at game memory (changing function arguments + return values / calling functions by virtual address).Sun, 10 Oct 2021 00:00:00 GMT