John Jackson | |||||||
Other Names: | Mr. Hacking | ||||||
Occupation: | Hacker and security researcher | ||||||
Known For: | Sakura Samurai | ||||||
Website: |
|
John Jackson (born) also known as Mr. Hacking, is an American security researcher and founder of the white-hat hacking group Sakura Samurai.
Jackson served in the United States Marine Corps from 2012 until 2017, where he was a petroleum engineer and logistics manager. He was discharged from the military after suffering an injury, and began attending the LeaderQuest Colorado certification bootcamp. After studying at LeaderQuest and learning on his own, he earned several cybersecurity certificates including ITIL, CompTIA A+ and Security+, and EC-Council Certified Network Defender (CND) and Certified Ethical Hacker (CEH).[1]
Jackson's first cybersecurity job was for Staples as an endpoint detection and response engineer. Jackson then became an application security engineer at Shutterstock from 2019 until 2021, where he was involved with maintaining the security of their web applications, managing their bug bounty program, and managing their static and dynamic application security testing tools. While employed with Shutterstock, he also worked as a penetration tester with 1337 Inc. and did bug bounty hunting in his spare time.
In March 2020, Jackson published a blog post about a vulnerability he had discovered with the Talkspace mental health app, after he told the company about the issue and was dismissed. Talkspace sent him a cease and desist letter shortly after the post was published, in what TechCrunch described as "just the latest example of security researchers facing legal threats for their work".[2]
In November 2020, Jackson and researcher Sick.Codes discovered two vulnerabilities in TCL brand televisions. The first would allow attackers on the adjacent network to access most system files, potentially leading to critical information disclosure. The second would allow attackers to read and write files in vendor resources directories, which could allow arbitrary code execution or enable attackers to compromise other systems on the network. After Jackson and Sick.Codes reported the vulnerability to TCL, TCL deployed a patch—however, Jackson and his researcher partner said the fix raised further concerns, as there had been no notification that the software had been updated, and TCL appeared to have full control over the device.[3] [4] [5] The vulnerability came to be described in media as a "Chinese backdoor". In a December 2021 speech to The Heritage Foundation, Acting Department of Homeland Security Secretary Chad Wolf said his agency was investigating the vulnerability due to concerns that the Chinese manufacturer may have "expos[ed] users to cyber breaches and data exfiltration".[6]
Also in November 2020, Jackson found a server-side request forgery vulnerability in, a popular JavaScript library published on npm.[7] [8] In March 2021, Jackson and other researchers discovered a similar bug in, a package used by around 278,000 software projects. The bug had existed for more than nine years.[9] [10] In April 2021, the group discovered the same flaw existed in the Python standard library, and more broadly was affecting other languages such as Perl, Go, and Rust.[11] [12] [13]
In December 2020, Jackson and Nick Sahler reported that they had gained access to a large quantity of sensitive data associated with the children's website Neopets. The data included database credentials, employee emails, and website source code.[14]
In September 2021, Jackson and Sick.Codes disclosed a vulnerability they had found in Gurock's test management tool TestRail, in which improper access control would allow access to a list of application files and file paths, which could then potentially expose sensitive data such as hardcoded credentials or API keys.[15]
See also: Sakura Samurai (group). In 2020, Jackson founded Sakura Samurai, a white-hat hacking and security research group. Other current and former members of the group have included Robert Willis, Aubrey Cottle, and Higinio Ochoa.[16]
In January 2021, Jackson and other members of Sakura Samurai publicly reported that they had discovered exposed git directories and git credential files on domains belonging to two groups within the United Nations. The vulnerability exposed more than 100,000 private employee records.[17] [18]
In March 2021, Jackson and others in the group publicly disclosed vulnerabilities that affected 27 groups within the Indian government. After finding exposed git and configuration directories, Sakura Samurai were able to access credentials for critical applications, more than 13,000 personal records, police reports, and other data. The group also discovered vulnerabilities relating to session hijacking and arbitrary code execution on finance-related governmental systems.[19] After the issues reported to India's National Critical Information Infrastructure Protection Centre went unaddressed for several weeks, Sakura Samura involved the U.S. Department of Defense Vulnerability Disclosure Program, and the issues were remediated.[20]
Jackson and other Sakura Samurai members found a vulnerability in Pegasystems' Pega Infinity enterprise software suite, which is used for customer engagement and digital process automation. The vulnerability, which was first reported to Pegasystems in February 2021, involved a possible misconfiguration that would enable data exposure.[21] The vulnerability led to the researchers breaching systems belonging to both Ford Motor Company and John Deere, incidents which were publicly disclosed in August 2021.[22] [23]
Jackson and other members of Sakura Samurai have also reported notable vulnerabilities related to organizations and software including Apache Velocity, Keybase, and Fermilab.[24] [25] [26]