Census Vulnerability Exposes 10k OAuth Tokens, Thousands of User Records

Summary Sakura Samurai was able to identify a vulnerability in the census.gov web application that resulted in the exposure of 10,000 OAuth tokens, full user ID names, full names of the users, email addresses, database names and tables, and local application privileged group role names with associated emails. The vulnerability was a result of CVE-2021-27653,… Continue reading Census Vulnerability Exposes 10k OAuth Tokens, Thousands of User Records

Ford Breach, August 2021 Disclosure

Summary A CVE in Pega CMS was found while researching on Ford’s VDP program. The vulnerability was initially identified by myself (@rej_ex) and break3r (@1337break3r). Subsequently, Sakura Samurai (@sakurasamuraii) members were brought in to participate in the research and the severity was escalated. Aubrey Cottle (@Kirtaner), Jackson Henry (@JacksonHHax), and John Jackson (@johnjhacking) were the… Continue reading Ford Breach, August 2021 Disclosure

Fermilab Hack, April/May 2021

Members of Sakura Samurai accessed user information, internal ticketing systems, proprietary application code, and heaps of other internal communication information, including but not limited to: proprietary software, pii, credentials (including sso uids), project details and attachments, schema, infrastructure configuration, and IP addresses. Credits All of the following hackers had a specific role to play during… Continue reading Fermilab Hack, April/May 2021

Indian Government Breach: Feb, 2021

Note: In February of 2021 Sakura Samurai disclosed our Indian Government breach. We didn’t release sensitive information because issues weren’t patched. This is blog post about information on it. After the United Nations breach we were looking for new targets. This process usually involves finding a VDP or Bug Bounty program for something that seems… Continue reading Indian Government Breach: Feb, 2021

Sakura Samurai

Notes: Sakura Samurai was founded December 2020. This blog post is a story about how I got involved. Sakura Samurai is a security research group that my close friend John Jackson started with his friend Nick. I was asked to join as it was being put together. All of the hacking I have done for… Continue reading Sakura Samurai