John Jackson
John Jackson -- born 1994 in Plainfield, NJ -- is a cybersecurity professional, application security engineer, author, hacking advocate, security researcher, bug bounty hunter, and the founder of the Hacking Group Sakura Samurai 桜の侍, a security research group dedicated to ethical research. He is most notable for multiple CVE and Enterprise Security Research contributions, including the discovery of a backdoor on TCL TVs, a business logic flaw on Talkspace, a Neopets database exposure, and a Server Side Request Forgery (SSRF) vulnerability affecting the NPM private-ip package.
Contents
Background
John Jackson was born in 1994 in Plainfield, New Jersey, and currently resides in Denver, Colorado. Jackson spends much of his time hacking, but also enjoys reading and writing -- especially poetry, and is currently working on a book with Wiley Publishing.
Jackson has contributed to the Threat and Vulnerability space, disclosing several pieces of cyber vulnerability research and assisting in resolution for the greater good. He continues to work on several projects and collaborates with other researchers to identify major cyber vulnerabilities. John is a champion for the Information Security Research space and believes that there should be better protection in place for hackers.
In 2020, he was invited to join Hacking is NOT a crime, an organization centered on rights for Hackers to conduct ethical research without fear of retaliation. Jackson currently serves as an “Advocate” and assists in helping the public understand the difference between Hackers and Threat Actors.
Education
Jackson graduated from Hightstown Highschool, in 2012. After his military career he enrolled in the University of Colorado, Denver, where he studied business, then chemistry, and lastly philosophy. Jackson dropped out of the University, opting for more specialized education.
Jackson attended Leaderquest, Denver, and within three months he achieved the ITIL, CompTIA A+, CompTIA Security+, EC-Council Certified Network Defender, and EC-Council Certified Ethical Hacker certifications.
Career
Military Service
At the age of 17, Jackson enlisted in the United States Marine Corps. Upon graduating from Bootcamp at Parris Island, South Carolina, attended Marine Combat Training at Camp Lejeune, North Carolina. Shortly after MCT, Jackson attended Bulk Fuel Specialist School in Fort Lee, Virginia, and was named the Class Honor Graduate. After Bulk Fuel Specialist training, Jackson was stationed in Okinawa, Japan for 3 and 1/2 years. From his post at Okinawa, he traveled and embarked on operations within multiple regions of the Philippines & South Korea. Notably, John participated in Strategic Wargames as a subject matter expert and was the sole Bulk Fuel Specialist during Operation Ssangyong (Twin Dragons) in 2013.
During his tour of duty, John Jackson served in the following units: -- Combat Logistics Battalion 4, Camp Foster, Okinawa Japan -- Marine Wing Support Squadron 172, Camp Foster, Okinawa Japan -- Headquarters and Support Battalion, Camp Lejeune, North Carolina
Jackson was honorably discharged from his military duty.
Cyber Security, Hacjer, Security Research
Jackson continued to pursue educational opportunities and also obtained the Certified Penetration Testing Engineer certification, offered by Mile2, the Certified Ethical Hacking - Master certification, offered by EC-Council, and the renowned OSCP Certification, offered by Offensive Security. Jackson then worked several jobs prior to launching his career in Security Research and Information Security. Jackson’s first cybersecurity position was an entry-level tech job contracting for the Department of Homeland Security with General Dynamics IT - focusing on the Homeland Security Information Network platform. Jackson spent just one month at the Help Desk before moving into a new role as a contracted-generalized Cybersecurity Engineer III at Staples, after which he changed his specialization from Cybersecurity Engineer to Endpoint Detection and Response Engineer III. After contracting with Staples, Jackson was offered a position at Shutterstock as an Application Security Engineer. The first experience Jackson had in the field of Information Security Research was on March 9th, 2020, when he was forced to take down his security research after receiving a cease and desist letter from Talkspace’s legal team after responsibly reporting the vulnerability. Techcrunch had reported on the incident and it was Jackson’s first public news mention as it pertains to security research.
On September 25th, 2020, Jackson was asked for his professional application security commentary by ZDnet and he provided input on an incident in which Twitter warned users of a possible API keys leak. Weeks later, on October 9th, 2020, Jackson once again provided an application security perspective for ZDnet - this time, highlighting modifications that Google had made to their product chrome, changing the way the browser’s caching system works in order to improve privacy.
Less than a month later on October 30th, 2020, Startpage, the privacy browsing solution published a guest-written article on the importance of privacy, featuring Jackson as the author. One day later, on October 31st, 2020, Hacking Into Security - Career Talks, released Episode #31 which highlighted Jackson’s transition from the United States Marine Corps into the Information Security field as an Application Security Engineer.
Several weeks later - on November 8th, The Mitre Corporation and The National Institute of Standards and Technology published CVE-2020-27388 a Stored Cross Site Scripting vulnerability affecting the YOURLS project - effectively making this Jackson’s first publication-vetted information security research contribution. The day after the release of the vulnerability. On November 10th, security research that identified multiple vulnerabilities within TCL TV Android TV’s were published by The Mitre Corporation and The National Institute of Standards and Technology. The vulnerabilities were assigned CVE-2020-27403 and CVE-2020-28055. Jackson worked in conjunction with Sick Codes on the research, and the vulnerabilities were revealed as a Chinese Backdoor, first reported by Security Ledger on November 12th, 2020. Shortly after the report, multiple media sources picked up the story including Hackaday, Slashdot, Tom’s Guide, International Business Times, PCMAG, and Liputan 6.
After roughly a week, Paul Roberts from The Security Ledger received a response for comment from the Senior Vice President for TCL North America, Chris Larson, acknowledging that the vulnerabilities had been patched, but denying any evidence of a Backdoor. On December 9th, the details of the TCL Backdoor made its way into the news again as covered by WXIX-TV on Fox19 Cincinnati. After the news coverage on Jackson and Sick Code’s research, the Department of Homeland Security announced that they were investigating the cyber risk from TCL Smart TVs on December 22nd. Specifically, at the conservative heritage foundation, the U.S. Department of Homeland Security Acting Secretary Chad Wolf added that the DHS would soon issue a business advisory cautioning against using data services and equipment from firms linked to China and said it was “reviewing entities such as the Chinese manufacturer TCL”.
Shortly after the DHS announcement including TCL’s review other sources of media picked up the news, including The Standard, Tom’s Guide, Forbes, Reuters, and CNBC. In response, TCL Electronics released a press release stating that they received no notice from the U.S. government and all TV products sold in the US fully complied with the law.
On November 23rd, The Mitre Corporation and The National Institute of Standards and Technology published Jackson’s fourth CVE research finding, assigned CVE-2020-28360. The vulnerability, affecting npm’s private-ip package, was discovered by Jackson and allowed for the execution of arbitrary code through various Server Side Request Forgery vulnerabilities. The Security Ledger, Hackaday and The Daily Swig all covered Jackson’s newly-discovered and disclosed critical CVE finding.
On November 25th, Business Insider and Lifehacker wrote about Jackson, highlighting his validation of a massive data breach, carried out by Aubrey Cottle the founder of Anonymous, exposing data from users of the conservative social media website Parler and of the American conservative political journalism website, the Washington Examiner.
Jackson’s most recent work was conducted on December 28th, 2020 when he identified a vulnerability on the kid’s website Neopets. Jackson discovered that insecure client-side restrictions allowed him access sensitive data. He then invited Nick Sahler to work on his research and together they were able to obtain the entire codebase for multiple servers, resulting in exposure of credentials needed to access company databases, employee email addresses, and even code repositories containing proprietary code for the website. Additionally, Jackson and Sahler discovered that sensitive IP addresses were exposed - covered in an article by the Security Ledger.
Hacking Group Sakura Samurai 桜の侍
John Jackson is the founder of the Hacking Group Sakura Samurai 桜の侍, a Security Research group dedicated to ethical research. Jackson founded the group with Nick Sahler, a Machine Learning Engineer, as a means to encourage security researchers to participate in open-minded and responsible security research. Inspired by “Cult of the Dead Cow”, Sahler and Jackson publicly announced the formation of the group on December 31st, 2020 and unveiled the group’s official website on January 5th, 2021.
Among the announced members of the group are Jackson Henry, Robert Willis, Ali Diamond and the founder of 420chan and the infamous hacking group Anonymous: Aubrey Cottle.
Sources
- https://www.zdnet.com/article/chrome-changes-how-its-cache-system-works-to-improve-privacy/
- https://www.zdnet.com/article/twitter-warns-of-possible-api-keys-leak/
- https://techcrunch.com/2020/03/09/talkspace-cease-desist/
- https://hacking-into-security-career-talks.simplecast.com/episodes/hacking-into-security-31-united-states-marine-to-application-security-engineer-with-john-jackson
- https://podcasts.apple.com/au/podcast/hacking-into-security-31-united-states-marine-to-application/id1508255491?i=1000496753316
- https://open.spotify.com/episode/3xN4xPwk72ZpQoUUZzUx72
- https://www.youtube.com/watch?v=sxxy6Ec6slI&list=PL33y0fs6IicL-3acthVKceAHc7zrNiMyT&index=2
- https://www.hackingisnotacrime.org/community
- https://nvd.nist.gov/vuln/detail/CVE-2020-27388
- https://snyk.io/vuln/SNYK-PHP-YOURLSYOURLS-1021882
- https://www.startpage.com/privacy-please/privacy-advocate-articles/the-privacy-glass-house-mentality
- https://securityledger.com/2020/12/neopets-is-still-a-thing-and-its-exposing-sensitive-data/
- https://www.zerohedge.com/technology/your-new-tcl-hdtv-made-china-security-risk
- https://www.tomsguide.com/news/tcl-wolf-dhs-china-bashing
- https://securityledger.com/2020/12/dhs-looking-into-cyber-risk-from-tcl-smart-tvs/
- https://www.fox19.com/2020/12/06/major-security-flaw-found-tcl-android-tvs-tech-researchers-say/
- https://hackaday.com/2020/12/04/this-week-in-security-ios-wifi-incantations-ghosts-and-bad-regex/
- https://www.startpage.com/privacy-please/privacy-advocate-articles/privacy-in-action-john-jackson-cybersecurity-expert-author
- https://lifehacker.com/parler-wasnt-hacked-but-that-doesnt-mean-its-safe-to-u-1845757409
- https://www.businessinsider.com/parler-data-breach-twitter-social-network-conservative-hack-2020-11
- https://portswigger.net/daily-swig/vulnerable-npm-security-module-allowed-attackers-to-bypass-ssrf-defenses
- https://securityledger.com/2020/11/exploitable-flaw-in-npm-private-ip-app-lurks-everywhere-anywhere/
- https://securityledger.com/2020/11/tv-maker-tcl-denies-back-door-promises-better-process/
- https://www.digitalinformationworld.com/2020/11/major-backdoor-vulnerabilities-have.html
- https://www.liputan6.com/tekno/read/4408795/peneliti-temukan-celah-keamanan-serius-di-smart-tv-android-tcl
- https://www.futurezone.de/produkte/article230923508/TCL-Fernseher-getestet-Konnten-nicht-glauben-was-da-passiert-ist-so-Experten.html
- https://www.techtimes.com/articles/254197/20201115/tcl-smart-tvs-backdoor-security-flaw-experts-find-heres-protect.htm
- https://www.cnnindonesia.com/teknologi/20201115135501-185-569973/smart-tv-tcl-china-disebut-rentan-disadap-hacker
- https://www.futurezone.de/produkte/article230923508/TCL-Fernseher-getestet-Konnten-nicht-glauben-was-da-passiert-ist-so-Experten.html
- https://www.techtimes.com/articles/254197/20201115/tcl-smart-tvs-backdoor-security-flaw-experts-find-heres-protect.htm
- https://www.cnnindonesia.com/teknologi/20201115135501-185-569973/smart-tv-tcl-china-disebut-rentan-disadap-hacker
- https://www.pcmag.com/news/report-researchers-find-backdoor-security-flaw-in-tcl-smart-tvs?amp=true&__twitter_impression=true
- https://www.ibtimes.sg/major-security-flaws-tcl-android-smart-tvs-may-have-opened-chinese-backdoor-researchers-say-53336
- https://www.tomsguide.com/uk/news/tcl-smart-tv-security-flaws
- https://it.slashdot.org/story/20/11/13/0016229/security-holes-opened-back-door-to-tcl-android-smart-tvs
- https://www.fudzilla.com/news/51876-tcl-android-tellies-had-gapping-security-holes
- https://hackaday.com/2020/11/13/this-week-in-security-platypus-git-bat-tcl-tvs-and-lessons-from-online-gaming/
- https://securityboulevard.com/2020/11/disconnect-your-tcl-smart-tv-from-the-internet-now/
- https://securityledger.com/2020/11/security-holes-opened-back-door-to-tcl-android-smart-tvs/
- https://www.zdnet.com/article/bug-hunter-wins-researcher-of-the-month-award-for-dod-account-takeover-bug/
- https://www.startpage.com/privacy-please/privacy-advocate-articles/the-privacy-glass-house-mentality
- https://finance.yahoo.com/news/talkspace-threatened-sue-security-researcher-163711547.html
- https://www.forbes.com/sites/paulfroberts/2020/12/23/this-christmas-beware-of-chinese-conglomerates-bearing-gifts/?sh=53b7d93d494b
- https://www.dhs.gov/news/2020/12/21/acting-secretary-chad-f-wolf-remarks-prepared-homeland-security-and-china-challenge
- https://uk.finance.yahoo.com/news/tcl-electronics-1070-hk-no-042347119.html
https://nationalinterest.org/blog/techland/does-your-tcl-roku-tv-have-security-flaw-answer-no-175386
