John Jackson (born 1994 or 1995)[1] also known as Mr. Hacking, is an American security researcher and founder of the white-hat hacking group Sakura Samurai.
John Jackson | |
---|---|
Born | 1994 or 1995 (age 29–30) |
Other names | Mr. Hacking |
Occupation(s) | Hacker and security researcher |
Known for | Sakura Samurai |
Website | |
Military Career | |
Allegiance | United States |
Service | U.S. Marine Corps |
Early career and education
editJackson served in the United States Marine Corps from 2012 until 2017, where he was a petroleum engineer and logistics manager. He was discharged from the military after suffering an injury, and began attending the LeaderQuest Colorado certification bootcamp. After studying at LeaderQuest and learning on his own, he earned several cybersecurity certificates including ITIL, CompTIA A+ and Security+, and EC-Council Certified Network Defender (CND) and Certified Ethical Hacker (CEH).[2]
Career
editJackson's first cybersecurity job was for Staples as an endpoint detection and response engineer. Jackson then became an application security engineer at Shutterstock from 2019 until 2021, where he was involved with maintaining the security of their web applications, managing their bug bounty program, and managing their static and dynamic application security testing tools. While employed with Shutterstock, he also worked as a penetration tester with 1337 Inc. and did bug bounty hunting in his spare time.[2]
Independent research
editIn March 2020, Jackson published a blog post about a vulnerability he had discovered with the Talkspace mental health app, after he told the company about the issue and was dismissed. Talkspace sent him a cease and desist letter shortly after the post was published, in what TechCrunch described as "just the latest example of security researchers facing legal threats for their work".[3]
In November 2020, Jackson and researcher Sick.Codes discovered two vulnerabilities in TCL brand televisions. The first would allow attackers on the adjacent network to access most system files, potentially leading to critical information disclosure. The second would allow attackers to read and write files in vendor resources directories, which could allow arbitrary code execution or enable attackers to compromise other systems on the network. After Jackson and Sick.Codes reported the vulnerability to TCL, TCL deployed a patch—however, Jackson and his researcher partner said the fix raised further concerns, as there had been no notification that the software had been updated, and TCL appeared to have full control over the device.[4][5][6] The vulnerability came to be described in media as a "Chinese backdoor".[5] In a December 2021 speech to The Heritage Foundation, Acting Department of Homeland Security Secretary Chad Wolf said his agency was investigating the vulnerability due to concerns that the Chinese manufacturer may have "expos[ed] users to cyber breaches and data exfiltration".[7]
Also in November 2020, Jackson found a server-side request forgery vulnerability in private-ip
, a popular JavaScript library published on npm.[8][9] In March 2021, Jackson and other researchers discovered a similar bug in netmask
, a package used by around 278,000 software projects. The bug had existed for more than nine years.[10][11] In April 2021, the group discovered the same flaw existed in the Python ipaddress
standard library, and more broadly was affecting other languages such as Perl, Go, and Rust.[12][13][14]
In December 2020, Jackson and Nick Sahler reported that they had gained access to a large quantity of sensitive data associated with the children's website Neopets. The data included database credentials, employee emails, and website source code.[15]
In September 2021, Jackson and Sick.Codes disclosed a vulnerability they had found in Gurock's test management tool TestRail, in which improper access control would allow access to a list of application files and file paths, which could then potentially expose sensitive data such as hardcoded credentials or API keys.[16]
Sakura Samurai
editIn 2020, Jackson founded Sakura Samurai, a white-hat hacking and security research group. Other current and former members of the group have included Robert Willis, Aubrey Cottle, and Higinio Ochoa.[1]
In January 2021, Jackson and other members of Sakura Samurai publicly reported that they had discovered exposed git directories and git credential files on domains belonging to two groups within the United Nations. The vulnerability exposed more than 100,000 private employee records.[17][18]
In March 2021, Jackson and others in the group publicly disclosed vulnerabilities that affected 27 groups within the Indian government. After finding exposed git and configuration directories, Sakura Samurai were able to access credentials for critical applications, more than 13,000 personal records, police reports, and other data. The group also discovered vulnerabilities relating to session hijacking and arbitrary code execution on finance-related governmental systems.[19] After the issues reported to India's National Critical Information Infrastructure Protection Centre went unaddressed for several weeks, Sakura Samura involved the U.S. Department of Defense Vulnerability Disclosure Program, and the issues were remediated.[20][19]
Jackson and other Sakura Samurai members found a vulnerability in Pegasystems' Pega Infinity enterprise software suite, which is used for customer engagement and digital process automation. The vulnerability, which was first reported to Pegasystems in February 2021, involved a possible misconfiguration that would enable data exposure.[21] The vulnerability led to the researchers breaching systems belonging to both Ford Motor Company and John Deere, incidents which were publicly disclosed in August 2021.[22][23]
Jackson and other members of Sakura Samurai have also reported notable vulnerabilities related to organizations and software including Apache Velocity, Keybase, and Fermilab.[24][25][26]
Publications
edit- Jackson, John (December 1, 2021). Corporate Cybersecurity: Identifying Risks and the Bug Bounty Program. Wiley. ISBN 978-1119782520.
References
edit- ^ a b Jackson, John (January 22, 2021). "Episode 200: Sakura Samurai Wants To Make Hacking Groups Cool Again. And: Automating Our Way Out of PKI Chaos". The Security Ledger with Paul F. Roberts. Retrieved September 26, 2021.
- ^ a b Jackson, John (October 31, 2020). "United States Marine to Application Security Engineer, with John Jackson". Hacking into Security (Podcast). Interviewed by Ricki Burke.
- ^ Whittaker, Zack (March 9, 2020). "Talkspace threatens to sue a researcher over bug report". TechCrunch. Retrieved September 26, 2021.
- ^ Roberts, Paul (November 12, 2021). "Security Holes Opened Back Door To TCL Android Smart TVs". The Security Ledger with Paul F. Roberts. Retrieved September 26, 2021.
- ^ a b Wagenseil, Paul (November 16, 2020). "TCL Android TVs may have 'Chinese backdoor' — protect yourself now (Update)". Tom's Guide. Retrieved 2021-09-27.
- ^ Vincent, Brittany (November 18, 2020). "Report: Researchers Find 'Backdoor' Security Flaw in TCL Smart TVs". PCMag. Retrieved September 26, 2021.
- ^ Wagenseil, Paul (December 23, 2021). "Department of Homeland Security: China using TCL TVs to spy on Americans". Tom's Guide. Retrieved September 26, 2021.
- ^ Bennett, Jonathan (December 4, 2020). "This Week In Security: IOS Wifi Incantations, Ghosts, And Bad Regex". Hackaday. Retrieved September 26, 2021.
- ^ Roberts, Paul (November 25, 2021). "Exploitable Flaw in NPM Private IP App Lurks Everywhere, Anywhere". The Security Ledger with Paul F. Roberts. Retrieved September 26, 2021.
- ^ Bannister, Adam (March 29, 2021). "SSRF vulnerability in NPM package Netmask impacts up to 279k projects". The Daily Swig. Retrieved September 26, 2021.
- ^ Speed, Richard (March 29, 2021). "Sitting comfortably? Then it's probably time to patch, as critical flaw uncovered in npm's netmask package". The Register. Retrieved September 26, 2021.
- ^ Sharma, Ax (May 1, 2021). "Python also impacted by critical IP address validation vulnerability". BleepingComputer. Retrieved September 26, 2021.
- ^ Sharma, Ax (March 28, 2021). "Critical netmask networking bug impacts thousands of applications". BleepingComputer. Retrieved September 26, 2021.
- ^ Sharma, Ax (August 7, 2021). "Go, Rust "net" library affected by critical IP address validation vulnerability". BleepingComputer. Retrieved September 26, 2021.
- ^ Roberts, Paul (December 28, 2021). "Update: Neopets Is Still A Thing And Its Exposing Sensitive Data". The Security Ledger with Paul F. Roberts. Retrieved September 26, 2021.
- ^ Toulas, Bill (September 22, 2021). "Researchers Discover Remotely Exploitable Flaw Resulting in File Exposure on Gurock TestRail". TechNadu. Retrieved October 8, 2021.
- ^ Riley, Duncan (January 11, 2021). "United Nations data breach exposes details of more than 100,000 employees". SiliconANGLE. Retrieved August 12, 2021.
- ^ Spadafora, Anthony (January 11, 2021). "United Nations suffers major data breach". TechRadar. Retrieved September 26, 2021.
- ^ a b Sharma, Ax (March 12, 2021). "Researchers hacked Indian govt sites via exposed git and env files". BleepingComputer. Retrieved September 26, 2021.
- ^ Majumder, Shayak (22 February 2021). "Government-Run Web Services Found to Have Major Vulnerabilities: Reports". NDTV-Gadgets 360. Retrieved 16 August 2021.
- ^ "NVD – CVE-2021-27653". nvd.nist.gov. Retrieved 12 August 2021.
- ^ Sharma, Ax (August 15, 2021). "Ford bug exposed customer and employee records from internal systems". BleepingComputer. Retrieved September 26, 2021.
- ^ Bracken, Becky (August 10, 2021). "Connected Farms Easy Pickings for Global Food Supply-Chain Hack". ThreatPost. Retrieved September 26, 2021.
- ^ Sharma, Ax (15 January 2021). "Undisclosed Apache Velocity XSS vulnerability impacts GOV sites". BleepingComputer. Retrieved 16 August 2021.
- ^ Osborne, Charlie (23 February 2021). "Keybase patches bug that kept pictures in cleartext storage on Mac, Windows clients". ZDNet. Retrieved 16 August 2021.
- ^ Sharma, Ax (May 6, 2021). "US physics lab Fermilab exposes proprietary data for all to see". Ars Technica. Retrieved September 26, 2021.