Summary Sakura Samurai was able to identify a vulnerability in the census.gov web application that resulted in the exposure of 10,000 OAuth tokens, full user ID names, full names of the users, email addresses, database names and tables, and local application privileged group role names with associated emails. The vulnerability was a result of CVE-2021-27653,… Continue reading Census Vulnerability Exposes 10k OAuth Tokens, Thousands of User Records
Category: Hack the Planet
Ford Breach, August 2021 Disclosure
Summary A CVE in Pega CMS was found while researching on Ford’s VDP program. The vulnerability was initially identified by myself (@rej_ex) and break3r (@1337break3r). Subsequently, Sakura Samurai (@sakurasamuraii) members were brought in to participate in the research and the severity was escalated. Aubrey Cottle (@Kirtaner), Jackson Henry (@JacksonHHax), and John Jackson (@johnjhacking) were the… Continue reading Ford Breach, August 2021 Disclosure
Fermilab Hack, April/May 2021
Members of Sakura Samurai accessed user information, internal ticketing systems, proprietary application code, and heaps of other internal communication information, including but not limited to: proprietary software, pii, credentials (including sso uids), project details and attachments, schema, infrastructure configuration, and IP addresses. Credits All of the following hackers had a specific role to play during… Continue reading Fermilab Hack, April/May 2021
Pega CVE-2021-27653, March 2021
It’s funny how companies try to play down issues. Well, this is a 9.8 CRITICAL, yet listed as a MEDIUM. This was used to breach FORD, and the POC was given a 90 day hold for release, so, once the POC drops the world will see what this does. Pega originally didn’t appear to even… Continue reading Pega CVE-2021-27653, March 2021
Indian Government Breach: Feb, 2021
Note: In February of 2021 Sakura Samurai disclosed our Indian Government breach. We didn’t release sensitive information because issues weren’t patched. This is blog post about information on it. After the United Nations breach we were looking for new targets. This process usually involves finding a VDP or Bug Bounty program for something that seems… Continue reading Indian Government Breach: Feb, 2021
Keybase CVE-2021-23827: Feb, 2021
This was an interesting finding that John led. He stumbled upon it after poking around files on his computer in keybase, quickly getting the team to do further research on it. John was on windows when he noticed the potential issue, Kanshi and Kirtaner loaded up MACOS to test another OS, with Kirtaner getting deeper… Continue reading Keybase CVE-2021-23827: Feb, 2021
United Nations Breach: Jan, 2021
Notes: In January of 2021 Sakura Samurai breached the United Nations. This is a short blog post on the United Nations breach with media sources on it to check out. Sakura Samurai breached over 100k pieces of PII from the United Nations, but could have easily gotten a lot more/much higher number. When you get… Continue reading United Nations Breach: Jan, 2021
The Media Forced Me To Create A Blog
Notes: This blog post answers why members of Sakura Samurai now have their own personal blogs if they didn’t prior. My hacker crew, Sakura Samurai, has been getting lots of press lately, and many of the journalists aren’t properly attributing the security researchers to the material. I just want to hack and don’t want to… Continue reading The Media Forced Me To Create A Blog
Sakura Samurai
Notes: Sakura Samurai was founded December 2020. This blog post is a story about how I got involved. Sakura Samurai is a security research group that my close friend John Jackson started with his friend Nick. I was asked to join as it was being put together. All of the hacking I have done for… Continue reading Sakura Samurai