zemnmez
Thomas Shadwell LogoA 2D pyramidal frustum (triangle with the top missing). In the center is an open eye, below the eye, a single tear.
Thomas NJ Shadwell

I am an internationally recognised expert on computer security, with specialisms in web security, security program (SSDLC) construction, and automated security analysis.

I am a Member of Technical Staff at OpenAI, where I work on computer security.

I am interested in consulting on legal cases. For business, email me at thomas@shadwell.im.

A selection of my work over the years can be found below.

2023
XXIX
November.
Member of Technical Staff, Security Product and Platform (PROP), OpenAI
October.
crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard Vulnerability in second most popular Javascript cryptography library allowing forgery of digital signatures. CVE-2023-46133.
crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard Vulnerability in maintained fork of most popular Javascript cryptography library allowing forgery of digital signatures. CVE-2023-46233.
August.
Def Con Black Badge the highest award given by the world's largest hacker convention. Awarded for the HackFortress CTF.
Def Con 31 Hack Fortress Champions hybrid ctf / esports competition winners.
Visual Studio Code is why I have (Workspace) Trust issues talk at Def Con by Sonar R&D including original research into VSCode security, reflecting on my own prior art CVE-2022-41034 (not my talk).
March.
Login CSRF, VTubeStudio fun little bug to hijack popular streaming application VTubeStudio.
2022
XXVIII
November.
Visual Studio Code: Remote Code Execution Google research; exploit to remotely take over VSCode and any attached cloud systems. CVE-2022-41034, GHSA-pw56-c55x-cm9m.
2021
XXVII
November.
Relocated to San Francisco from London.
July.
Monorepo a polyglot, fully tested, automatically upgraded, automatically versioned, continuously integrated monorepo ecosystem reflecting ideas I had working on hardening at scale at Google.
Apple Hall of Fame For major security issue covered in 'How to Hack Apple ID'.
2020
XXVI
December.
How to Hack Apple ID bypassing cutting-edge web security techniques to hack Apple ID.
October.
Typescript Union Merging Using interface merging to write somewhat decentralised Redux actions.
August.
HackFortress DefCon 2020 Champions
July.
Senior Information Security Engineer, Google ISE hardening Automated security mitigation, detection and refactoring using compiler technology (“langsec”), SDKs and DSLs (“hardening”) on TypeScript and Java. Google-wide mitigations for Log4Shell, XSS, deserialization attacks. Product security review and design, Google Ads (“FLOC”, “FLEDGE”), Google Cloud, Google's IDE (“Cider”). Research including critical disclosures such as CVE-2022-41034.
May.
Why We don't we have UIs like the ones in Neon Genesis Exploration of how rendering hardware has affected UI design.
April.
do-sync Async to sync library for encapsulated javascript macros.
February.
SVGShot small tool for taking SVG 'screenshots' of webpages.
HackFortress Shmoocon 2020 Champions defended title for hybrid gaming ctf.
2019
XXV
December.
UK Government Vulnerability Disclosure Initiative responsible disclosure program created with the UK National Cyber Security Center covering all government assets.
November.
Chromium cross-origin bypass in Google Chrome, Blink, or Chromium, it was possible to bypass cross-origin restrictions by causing a refresh of a failed cross-origin request. CVE-2019-13664.
August.
hack fortress DEFCON 2018 winners
If CORS is just a header, why don’t attackers just ignore it? article on common security misconceptions around CORS.
July.
CSVPretty typescript pretty printer for the CSV format.
National Cyber Security Centre 'Turing' challenge coin award for my work on UK government vulnerability disclosure policy and my responsible disclosure of vulnerabilities in the UK tax system.
June.
react-oauth2-hook An entirely clientside implementation of an oauth2 implicit client, with React hooks.
May.
Full Steam Ahead: Remotely Executing Code in Modern Desktop Applications technical talk at offensive AppSec conference Infiltrate summarising through example research into hybrid web / desktop application security.
April.
IE 11 command switch injection in IE11, programs on the user's computer could be launched with arbitrary arguments by running executing the scheme in an iframe. CVE-2019-0764.
January.
hack fortress 2019 champions hybrid ctf / esports competition winners.
reactive-d3 react helper bindings for d3.
$7,500 Steam Weakness Let Hackers Take Remote Control Of Gamers' PCs news coverage of steam rce.
linear react based personal website for 2019.
Steam Remote Code Execution vulnerability to remotely access Steam users' computers.
XSS in Steam React Chat Client XSS to RCE on Steam.
2018
XXIV
December.
Übersicht Remote Code Execution, Spotify takeover Quick article on the security of modern desktop web applications.
September.
Cross-site information assertion leak via Content Security Policy CSP1 information leak allowing efficient deanonymisation of internet users.
I hacked video games like 300 times and all I got was this stupid talk talk at game dev days 2018 in Graz, Austria summarising some security concepts for game developers.
January.
Application Security Engineer, UK National Cyber Security Centre advisory position. Provided expertise to UK cyber advisory / defence group on Go and building security analysis systems. Launched world's first government-wide responsible disclosure program.
forbes 30 under 30, tech for my work at Twitch, and on responsible disclosure.
2017
XXIII
November.
how to hack the uk tax system: the talk talk at owasp about critical uk tax system flaw in obfuscated system and the 57 day trek to get it fixed.
September.
'Serious' security flaws found on official UK tax site news post on manipulation of UK tax data.
how to hack the uk tax system, i guess vulnerability allowing manipulation of UK tax system.
July.
This Will Cut You: Go's Sharper Edges musings on go-specific security gotchas.
February.
Design Evolves By Constraint musings on the evolution of design.
2016
XXII
May.
'Mr. Robot' Web Weaknesses Left Fans And USA Network Vulnerable, Warns Non-Fictional Hacker code execution in official Mr Robot site.
Irony Alert: Hacker Finds Vulnerability In Mr Robot Website XSS in Mr Robot official site.
April.
steam patches broken crypto in wake of replay, padding oracle attacks padding oracle based decryption of Steam traffic.
January.
Buffalo NAS Remote Shutdown unauthorized remote shutdown of Buffalo-made network attached storage devices.
CVE-2016-2049 Host based account hijack attack on php-openid.
r.no.ms minimal reactive d3.js resistor colour code calculator.
2015
XXI
December.
Burning Flames Finder’s Fee unique developer granted cosmetic item for the video game Team Fortress 2 granted for security issue allowing decryption of all Steam traffic.
October.
Nebula Finder’s Fee unique developer granted cosmetic item for the video game Team Fortress 2 granted for security issues allowing remote access to computers running the video game.
2014
XX
September.
Senior Application Security Engineer, Twitch first security engineer at the video game streaming website. Designed security architecture for flagship projects including bits, the Twitch API, extensions and Twitch's OIDC / OAuth AuthN/Z systems. Created and defined security relationships and processes. Built Go security static analysis system, security frameworks and libraries.
July.
when security creates insecurity exploit using content security policy 1 to steal data on the web.
April.
Sunbeams Ebenezer unique developer granted cosmetic item for the video game Team Fortress 2 granted for security issues allowing movement millions of dollars of virtual items between arbitrary accounts via account takeover.
January.
5th place, Cambridge Chemistry Challenge (C3L6) international chemistry challenge.
2013
XIX
January.
7th place Cambridge Chemistry Challenge (C3L6) international chemistry challenge.
2012
XVIII
May.
Software Engineer, Consultant full stack freelance work building MVPs for London startups and wrangling data for hackathons.
March.
Developer, Rewired State charity focused on teaching code literacy. Ran and participated in hackathons for good causes. Taught software engineering to young people.
2011
XVII
November.
MozFest: Rewired State geeft jonge programmeurs een kans Interview on National Hack the Government Day prize (dutch).
September.
Sr. Admin, TF2Outpost Volunteer role at once largest trading website in the Steam community. Worked on administration of high-profile trades & scams.
August.
Better understanding of the work of Parliament Prize Rewired State: Parliament.
April.
Geckoboard Prize London Real Time Hackathon.
Wallace and Gromit Prize National Hack the Government Day 2011.
February.
Best example of Coding Young Rewired State 2011.

About.

The design of this website.

This website is a direct descendant of one I made in 2019. The core ideas come from very early on when I was using the internet, and I didn't want to tell people with my chosen username what kind of person I was. I picked the username zemnmez to be something meaningless that people could fill with their own ideas of who I was.

Similarly, when I made the website, I didn't want to tell people directly about myself, so instead I made this timeline to keep track of what I had done every year. The number in roman numerals is my age that year. It fulfilled another role as I was collecting my work to apply for my US O1 visa, which requires proving that you've done a lot of interesting things!

The background video (hero video) is of a hidden area in the gardens of Kenwood House, a beautiful stately home sandwiched between Highgate and Hampstead in London where I grew up. It's located at about 51.57139601074658°N, -0.16924392259112794°E.

It used to be that there was a bench hidden under overgrown bushes and a tree near the hydrangeas past the orangery. I took a video from there one summer – I was collecting photos and videos to remind me of home because I knew I'd leave it behind someday to move to the US.

The type and style itself was inspired by older, pre-computer era typsetting such as the Lloyd's Act 1871. Particular effort was put into trying to have content fill horizontal space automatically, as seen in older documents that try to make the most of the paper they're printed on.

What's the difference between Zemnmez LogoOne big square, two small squares and 4 rectangles make up a shape that resembles a stylised, angular eye. A square, rotated 45° so that its corners point up, down, left and right. The square has on either side of it two similar smaller squares, separated by a small gap. Each of the four square's sides have a rectangle following their edges with the same small gap. and Thomas Shadwell LogoA 2D pyramidal frustum (triangle with the top missing). In the center is an open eye, below the eye, a single tear.?

The diamond logo (Zemnmez LogoOne big square, two small squares and 4 rectangles make up a shape that resembles a stylised, angular eye. A square, rotated 45° so that its corners point up, down, left and right. The square has on either side of it two similar smaller squares, separated by a small gap. Each of the four square's sides have a rectangle following their edges with the same small gap.) came out of several years of wanting a way to express myself in art. For a few years following, I changed logo annually based how I'd felt the year prior, making logos with geometry and construction lines.

When I eventually made the diamond logo, it ended up looking a like an eye logo I'd made very early on in 2012. I liked it so much it came to represent the persona I had since 2009. The logo itself is from much later, probably around 2015.

The time eye logo (Thomas Shadwell LogoA 2D pyramidal frustum (triangle with the top missing). In the center is an open eye, below the eye, a single tear.) was the later (2019) creation, coming out of a specific need to disambiguate between the published work I had as Thomas Shadwell, my real name, versus zemnmez, the persona I had used since 2009. It became necessary after I made the Forbes Under 30 list for my tax system hack in 2018. Before this point I'd worked hard to try to keep the two identities separate, but Forbes lists aren't really for online personas.

The eye logo is a reference to the well-known eye of providence, a symbol that represents human achievement as being incomplete without God. I wanted it to reflect the idea that, in a universe that might not have a God, we as people have a responsibility to care for each other.

In having to make this distinction, for a short time the work published as zemnmez continued to represent the things I was most proud of – an idealised kind of self. But at Google, I started to publish security research I was really proud of as both zemnmez and Thomas Shadwell The abstract ideas are still there, but now I'm more Thomas than I ever was. ☺

Zemnmez LogoOne big square, two small squares and 4 rectangles make up a shape that resembles a stylised, angular eye. A square, rotated 45° so that its corners point up, down, left and right. The square has on either side of it two similar smaller squares, separated by a small gap. Each of the four square's sides have a rectangle following their edges with the same small gap.This is what we become, when our eyes are open.