John Jackson (hacker) explained

John Jackson
Other Names:Mr. Hacking
Occupation:Hacker and security researcher
Known For:Sakura Samurai
Website:
Embed:yes
Embed Title:Military Career
Allegiance:United States

John Jackson (born) also known as Mr. Hacking, is an American security researcher and founder of the white-hat hacking group Sakura Samurai.

Early career and education

Jackson served in the United States Marine Corps from 2012 until 2017, where he was a petroleum engineer and logistics manager. He was discharged from the military after suffering an injury, and began attending the LeaderQuest Colorado certification bootcamp. After studying at LeaderQuest and learning on his own, he earned several cybersecurity certificates including ITIL, CompTIA A+ and Security+, and EC-Council Certified Network Defender (CND) and Certified Ethical Hacker (CEH).[1]

Career

Jackson's first cybersecurity job was for Staples as an endpoint detection and response engineer. Jackson then became an application security engineer at Shutterstock from 2019 until 2021, where he was involved with maintaining the security of their web applications, managing their bug bounty program, and managing their static and dynamic application security testing tools. While employed with Shutterstock, he also worked as a penetration tester with 1337 Inc. and did bug bounty hunting in his spare time.

Independent research

In March 2020, Jackson published a blog post about a vulnerability he had discovered with the Talkspace mental health app, after he told the company about the issue and was dismissed. Talkspace sent him a cease and desist letter shortly after the post was published, in what TechCrunch described as "just the latest example of security researchers facing legal threats for their work".[2]

In November 2020, Jackson and researcher Sick.Codes discovered two vulnerabilities in TCL brand televisions. The first would allow attackers on the adjacent network to access most system files, potentially leading to critical information disclosure. The second would allow attackers to read and write files in vendor resources directories, which could allow arbitrary code execution or enable attackers to compromise other systems on the network. After Jackson and Sick.Codes reported the vulnerability to TCL, TCL deployed a patch—however, Jackson and his researcher partner said the fix raised further concerns, as there had been no notification that the software had been updated, and TCL appeared to have full control over the device.[3] [4] [5] The vulnerability came to be described in media as a "Chinese backdoor". In a December 2021 speech to The Heritage Foundation, Acting Department of Homeland Security Secretary Chad Wolf said his agency was investigating the vulnerability due to concerns that the Chinese manufacturer may have "expos[ed] users to cyber breaches and data exfiltration".[6]

Also in November 2020, Jackson found a server-side request forgery vulnerability in, a popular JavaScript library published on npm.[7] [8] In March 2021, Jackson and other researchers discovered a similar bug in, a package used by around 278,000 software projects. The bug had existed for more than nine years.[9] [10] In April 2021, the group discovered the same flaw existed in the Python standard library, and more broadly was affecting other languages such as Perl, Go, and Rust.[11] [12] [13]

In December 2020, Jackson and Nick Sahler reported that they had gained access to a large quantity of sensitive data associated with the children's website Neopets. The data included database credentials, employee emails, and website source code.[14]

In September 2021, Jackson and Sick.Codes disclosed a vulnerability they had found in Gurock's test management tool TestRail, in which improper access control would allow access to a list of application files and file paths, which could then potentially expose sensitive data such as hardcoded credentials or API keys.[15]

Sakura Samurai

See also: Sakura Samurai (group). In 2020, Jackson founded Sakura Samurai, a white-hat hacking and security research group. Other current and former members of the group have included Robert Willis, Aubrey Cottle, and Higinio Ochoa.[16]

In January 2021, Jackson and other members of Sakura Samurai publicly reported that they had discovered exposed git directories and git credential files on domains belonging to two groups within the United Nations. The vulnerability exposed more than 100,000 private employee records.[17] [18]

In March 2021, Jackson and others in the group publicly disclosed vulnerabilities that affected 27 groups within the Indian government. After finding exposed git and configuration directories, Sakura Samurai were able to access credentials for critical applications, more than 13,000 personal records, police reports, and other data. The group also discovered vulnerabilities relating to session hijacking and arbitrary code execution on finance-related governmental systems.[19] After the issues reported to India's National Critical Information Infrastructure Protection Centre went unaddressed for several weeks, Sakura Samura involved the U.S. Department of Defense Vulnerability Disclosure Program, and the issues were remediated.[20]

Jackson and other Sakura Samurai members found a vulnerability in Pegasystems' Pega Infinity enterprise software suite, which is used for customer engagement and digital process automation. The vulnerability, which was first reported to Pegasystems in February 2021, involved a possible misconfiguration that would enable data exposure.[21] The vulnerability led to the researchers breaching systems belonging to both Ford Motor Company and John Deere, incidents which were publicly disclosed in August 2021.[22] [23]

Jackson and other members of Sakura Samurai have also reported notable vulnerabilities related to organizations and software including Apache Velocity, Keybase, and Fermilab.[24] [25] [26]

Publications

Notes and References

  1. Jackson. John. Ricki Burke. United States Marine to Application Security Engineer, with John Jackson. Podcast. Hacking into Security. October 31, 2020.
  2. Web site: Whittaker. Zack. March 9, 2020. Talkspace threatens to sue a researcher over bug report. September 26, 2021. TechCrunch. en-US.
  3. Web site: Roberts. Paul. November 12, 2021. Security Holes Opened Back Door To TCL Android Smart TVs. September 26, 2021. The Security Ledger with Paul F. Roberts. en-US.
  4. Web site: Wagenseil. Paul. November 16, 2020. TCL Android TVs may have 'Chinese backdoor' — protect yourself now (Update). 2021-09-27. Tom's Guide. en.
  5. Web site: Vincent. Brittany. November 18, 2020. Report: Researchers Find 'Backdoor' Security Flaw in TCL Smart TVs. September 26, 2021. PCMag. en.
  6. Web site: Wagenseil. Paul. December 23, 2021. Department of Homeland Security: China using TCL TVs to spy on Americans. September 26, 2021. Tom's Guide. en.
  7. Web site: Bennett. Jonathan. December 4, 2020. This Week In Security: IOS Wifi Incantations, Ghosts, And Bad Regex. September 26, 2021. Hackaday. en-US.
  8. Web site: Roberts. Paul. November 25, 2021. Exploitable Flaw in NPM Private IP App Lurks Everywhere, Anywhere. September 26, 2021. The Security Ledger with Paul F. Roberts. en-US.
  9. Web site: Bannister. Adam. March 29, 2021. SSRF vulnerability in NPM package Netmask impacts up to 279k projects. September 26, 2021. The Daily Swig. en.
  10. Web site: Speed. Richard. March 29, 2021. Sitting comfortably? Then it's probably time to patch, as critical flaw uncovered in npm's netmask package. September 26, 2021. The Register. en.
  11. Web site: Sharma. Ax. May 1, 2021. Python also impacted by critical IP address validation vulnerability. September 26, 2021. BleepingComputer. en-us.
  12. Web site: Sharma. Ax. March 28, 2021. Critical netmask networking bug impacts thousands of applications. September 26, 2021. BleepingComputer. en-us.
  13. Web site: Sharma. Ax. August 7, 2021. Go, Rust "net" library affected by critical IP address validation vulnerability. September 26, 2021. BleepingComputer. en-us.
  14. Web site: Roberts. Paul. December 28, 2021. Update: Neopets Is Still A Thing And Its Exposing Sensitive Data. September 26, 2021. The Security Ledger with Paul F. Roberts. en-US.
  15. Web site: Toulas. Bill. September 22, 2021. Researchers Discover Remotely Exploitable Flaw Resulting in File Exposure on Gurock TestRail. October 8, 2021. TechNadu. en-US.
  16. Web site: Jackson. John. January 22, 2021. Episode 200: Sakura Samurai Wants To Make Hacking Groups Cool Again. And: Automating Our Way Out of PKI Chaos. September 26, 2021. The Security Ledger with Paul F. Roberts. en-US.
  17. Web site: Riley. Duncan. January 11, 2021. United Nations data breach exposes details of more than 100,000 employees. August 12, 2021. SiliconANGLE.
  18. Web site: Spadafora. Anthony. January 11, 2021. United Nations suffers major data breach. September 26, 2021. TechRadar. en.
  19. News: Sharma. Ax. March 12, 2021. Researchers hacked Indian govt sites via exposed git and env files. en-us. BleepingComputer. September 26, 2021.
  20. News: Majumder. Shayak. 22 February 2021. Government-Run Web Services Found to Have Major Vulnerabilities: Reports. en. NDTV-Gadgets 360. 16 August 2021.
  21. Web site: NVD – CVE-2021-27653. 12 August 2021. nvd.nist.gov.
  22. Web site: Sharma. Ax. August 15, 2021. Ford bug exposed customer and employee records from internal systems. September 26, 2021. BleepingComputer. en-us.
  23. Web site: Bracken. Becky. August 10, 2021. Connected Farms Easy Pickings for Global Food Supply-Chain Hack. September 26, 2021. ThreatPost. en.
  24. News: Sharma. Ax. 15 January 2021. Undisclosed Apache Velocity XSS vulnerability impacts GOV sites. en-us. BleepingComputer. 16 August 2021.
  25. News: Osborne. Charlie. 23 February 2021. Keybase patches bug that kept pictures in cleartext storage on Mac, Windows clients. en. ZDNet. 16 August 2021.
  26. News: Sharma. Ax. May 6, 2021. US physics lab Fermilab exposes proprietary data for all to see. en-us. Ars Technica. September 26, 2021.