Andy Guo
Click on a position to learn more.
I worked as a SDE Intern at Stackline, a retail intelligence company, during the Summer of 2023 and 2024 in downtown Seattle, WA. I'm currently working part-time, remotely from college.
During my Summer 2023 internship, I primarily explored the security side of things, peforming audits and pentesting on the Brandclub mobile app, which is a popular customer loyalty program that has been used by over 880K people. To summarize, I discovered and patched numerous API vulnerabilities, some of which allowed denial-of-service and unauthorized financial transactions.
In the Summer of 2024, I worked mostly on the backend of the mobile app, focusing on improving our web automation services. Much of this work involved reverse engineering and evading various bot protection vendors, such as Akamai BMP, Shape Security, and Amazon Metadata1. This was done in collaboration with my great friend and co-intern James Xu.
Since then, I've been continuing to research and implement methods to enhance the Brandclub Checkout and Sync user experience. Thank you to the wonderful Jonny Reiss for his help and guidance as a mentor, recuiter, and manager throughout my time at Stackline.
Failed ventures and other little adventures!
Reverse engineered the Veo Micromobility scooter mobile application (that's a nasty sentence). I found an extremely severe vulnerability that I'm currently working on disclosing.
Reverse engineered the TransitGo app, a mobile application that allows users to pay for Seattle's public transportation. I found an amusing method that allows users to ride for free. I may or may not have used this to commute to work for free over the course of my internship in Seattle. To be fair the drivers don't really care.
Reverse engineered the DuoSecurity mobile app, created my own script to auto-approve my login requests whenever I want. This is directly tied to my little project, Pushmate, which is listed above!
Aimed to create study guides and flashcards for students using LLM technology and OCR. The project was abandoned due to the lack of a viable business model. Worked on this with James Xu, Elizabeth Qiu, and Nico (sorry heh I don't know your last name). I've observed many similar projects since then, best of luck to those!
Reverse engineered Fetch Rewards, a mobile application that allows users to submit receipts for cash and gift card rewards. I have discovered some things, but I cannot reveal what they are due to legal reasons. All work will be disclosed to Fetch.
A social hub for friends and family to monitor finance, a simple and secure platform for lending and spending, and a non-destructive companion to one's buying experience. Spending other people's money has never been easier and more secure. Built for the Bitcamp 2022 hackathon. Devpost
GOAT is a sneaker marketplace that hosts a Black Friday sale every year where they release extremely valuable sneakers in a FCFS release style. I extracted the API endpoints from the mobile app and used them to create a bot that automatically detected the release in milliseconds, solved the CAPTCHA challenge, submitted the purchase, and polled the enqueued order's status.
My first ever foray into reverse engineering Android apps. Veve is a digital collectibles marketplace that hosts a variety of NFTs, including Marvel, DC, and more. My plan was to build a bot for their releases which would net me collectibles which I could then exchange for gems, and eventually cash! I eventually gave up, thanks to Kasada's bot mitigation technology.
A privacy-forward Chrome Extension that allows users to monitor where their data is being sent and how it is being used. Built for the TeenhacksLI 2021 hackathon and won the People's Choice award. Devpost
A prototype comprised of a Chrome extension and a Node script to automate the process of solving Google ReCAPTCHAs (y'know, the thing that asks you to select traffic lights). I whiteboarded all the logic for correlating bounding box data with the correct image tiles, which was super fun. Object detection technology provided by AWS Rekognition. Demo
Aimed to create study guides and flashcards for students using LLM technology and OCR. The project was abandoned due to the lack of a viable business model.
created my first website using html/css and coding in the now-retired atom text editor! :)
Last updated: October 21, 2024.
Copyright 2024. Andy Guo