Sakura Samurai (group)

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Sakura Samurai
FoundersJohn Jackson
PurposeWhite hat hacking and security research
5 Edit this at Wikidata

Sakura Samurai was a white hat hacking and security research group that was founded in 2020. The group is responsible for multiple vulnerability disclosures involving governmental groups and various corporations.[1]


Sakura Samurai was founded in 2020 by John Jackson, also known as "Mr. Hacking".[2] Active members of the group include Jackson, Robert "rej_ex" Willis, Jackson "Kanshi" Henry, Kelly Kaoudis, and Higinio "w0rmer" Ochoa.[2][3] Ali "ShÄde" Diamond, Aubrey "Kirtaner" Cottle, Sick.Codes, and Arctic are all former members of the group.[4]

In October 2022, Sakura Samurai announced on their Twitter page that they are now inactive due to “various other commitments” the members have individually. [5]

Notable work[edit]

Governmental groups[edit]

United Nations[edit]

Sakura Samurai discovered exposed git directories and git credential files on domains belonging to the United Nations Environmental Programme (UNEP) and United Nations International Labour Organization (UNILO). These provided access to WordPress administrator database credentials and the UNEP source code, and exposed more than 100,000 private employee records to the researchers. Employee data included details about U.N. staff travel, human resources data including personally identifiable information, project funding resource records, generalized employee records, and employment evaluation reports.[6][7] Sakura Samurai publicly reported the breach in January 2021, after first disclosing it through the U.N.'s vulnerability disclosure program.[7]


In March 2021, Sakura Samurai publicly disclosed vulnerabilities that affected 27 groups within the Indian government. After finding exposed git and configuration directories, Sakura Samurai were able to access credentials for critical applications, more than 13,000 personal records, police reports, and other data. The group also discovered vulnerabilities relating to session hijacking and arbitrary code execution on finance-related governmental systems.[8] After the issues reported to India's National Critical Information Infrastructure Protection Centre went unaddressed for several weeks, Sakura Samurai involved the U.S. Department of Defense Vulnerability Disclosure Program, and the issues were remediated.[9][8]


Apache Velocity Tools[edit]

Sakura Samurai discovered and reported a cross site scripting (XSS) vulnerability with Apache Velocity Tools in October 2020. Sophisticated variations of the exploit, when combined with social engineering, could allow attackers to collect the logged-in user's session cookies, potentially allowing them to hijack their sessions. The vulnerable Apache Velocity Tools class was included in more than 2,600 unique binaries of various prominent software applications. Apache acknowledged the report and patched the flaw in November 2020, although Apache did not formally disclose the vulnerability.[10]


The group discovered that Keybase, a security-focused chat application owned by Zoom, was insecurely storing images, even after users had ostensibly deleted them. They reported the vulnerability in January 2021, and disclosed it publicly in February after the bug had been patched and updates had been widely distributed.[11]

Pega Infinity and related breaches[edit]

Sakura Samurai found a vulnerability in Pegasystems' Pega Infinity enterprise software suite, which is used for customer engagement and digital process automation. The vulnerability, which was first reported to Pegasystems in February 2021, involved a possible misconfiguration that would enable data exposure.[12]

The vulnerability led to Sakura Samurai breaching systems belonging to both Ford Motor Company and John Deere, incidents which were publicly disclosed in August 2021.[13][14] These breaches were the subject of a 2021 DEF CON presentation by Sick.Codes, which was titled "The Agricultural Data Arms Race: Exploiting a Tractor Load of Vulnerabilities in the Global Food Supply Chain (in good faith)".[15]


In May 2021, Sakura Samurai reported vulnerabilities they had discovered and disclosed to Fermilab, a particle physics and accelerator laboratory. The group was able to gain access to a project ticketing system, server credentials, and employee information.[16]


  1. ^ Xavier, John (20 February 2021). "India's cyber defenses breached and reported; govt. yet to fix it". The Hindu. ISSN 0971-751X. Retrieved 12 August 2021.
  2. ^ a b Jackson, John (22 January 2021). "Episode 200: Sakura Samurai Wants To Make Hacking Groups Cool Again. And: Automating Our Way Out of PKI Chaos". The Security Ledger with Paul F. Roberts. Retrieved 26 September 2021.{{cite web}}: CS1 maint: url-status (link)
  3. ^ "Sakura Samurai". Sakura Samurai. Retrieved 26 September 2021.{{cite web}}: CS1 maint: url-status (link)
  4. ^ "Retired Members of Sakura Samurai". Sakura Samurai. Retrieved 26 September 2021.{{cite web}}: CS1 maint: url-status (link)
  5. ^ "Retirement Announcement". Twitter. Retrieved 30 October 2022.
  6. ^ Riley, Duncan (11 January 2021). "United Nations data breach exposes details of more than 100,000 employees". SiliconANGLE. Retrieved 12 August 2021.{{cite web}}: CS1 maint: url-status (link)
  7. ^ a b Spadafora, Anthony (11 January 2021). "United Nations suffers major data breach". TechRadar. Retrieved 26 September 2021.{{cite web}}: CS1 maint: url-status (link)
  8. ^ a b Sharma, Ax (12 March 2021). "Researchers hacked Indian govt sites via exposed git and env files". BleepingComputer. Retrieved 26 September 2021.
  9. ^ Majumder, Shayak (22 February 2021). "Government-Run Web Services Found to Have Major Vulnerabilities: Reports". NDTV-Gadgets 360. Retrieved 16 August 2021.
  10. ^ Sharma, Ax (15 January 2021). "Undisclosed Apache Velocity XSS vulnerability impacts GOV sites". BleepingComputer. Retrieved 16 August 2021.
  11. ^ Osborne, Charlie (23 February 2021). "Keybase patches bug that kept pictures in cleartext storage on Mac, Windows clients". ZDNet. Retrieved 16 August 2021.
  12. ^ "NVD – CVE-2021-27653". Retrieved 12 August 2021.
  13. ^ Sharma, Ax (15 August 2021). "Ford bug exposed customer and employee records from internal systems". BleepingComputer. Retrieved 26 September 2021.{{cite web}}: CS1 maint: url-status (link)
  14. ^ Bracken, Becky (10 August 2021). "Connected Farms Easy Pickings for Global Food Supply-Chain Hack". ThreatPost. Retrieved 26 September 2021.{{cite web}}: CS1 maint: url-status (link)
  15. ^ Kirk, Jeremy (9 August 2021). "Flaws in John Deere Systems Show Agriculture's Cyber Risk". National Cyber Security News Today. Retrieved 26 September 2021.{{cite web}}: CS1 maint: url-status (link)
  16. ^ Sharma, Ax (6 May 2021). "US physics lab Fermilab exposes proprietary data for all to see". Ars Technica. Retrieved 26 September 2021.

External links[edit]