John J Hacking

Security Research

This section of my website highlights my accomplishments in the hacking space. For the most part, there will be corresponding writeups either on this website or hosted externally for each of my CVEs. As far as the company hacking that I have accomplished, most of the bugs cannot be publicly disclosed per NDAs or out of respect for the Company that I have coordinated disclosure with. Any interesting vulnerability writeups that I have done can be found in the "Writeups" section below.

Companies Hacked

Government of India

Ford

Department of Homeland Security

United Nations Environment Programme

International Labour Organization

Keybase

Twitter

Parler

TCL

Jack Daniel's

Credit Karma

Dell

Twilio SendGrid

Talkspace

Opera

Neopets

Zynga

Tripadvisor

Telefónica

Upwork

SurveyMonkey

HealthifyMe

AppsFlyer

CVEs

CVE-2021-23827: Keybase Client Cleartext Storage of Sensitive Information

CVE-2020-27388: YOURLS 1.5 - 1.7.10, Multiple Stored Cross Site Scripting (XSS) Vulnerabilities in Admin Panel

CVE-2020-28360: npm private-ip SSRF Bypass (IP Phone Home)

CVE-2020-27403: TCL Android Smart TV Exposed File System Via HTTP

CVE-2020-28055: TCL Android Smart TV File Write Local Privilege Escalation

Write Ups

CVE-2021-23827: Sakura Samurai discover cleartext pictures in Keybase Desktop Client; Windows, macOS, Linux

Read more

UNEP Breached, 100K+ Employee Records Accessed

Read more

CVE-2020-28360: npm private-ip SSRF Bypass (IP Phone Home)

Read more

CVE-2020-27388: YOURLS 1.5 - 1.7.10, Multiple Stored Cross Site Scripting (XSS) Vulnerabilities in Admin Panel

Read more

Account Takeover on the Jack Daniel's Tennessee Squire Association Platform

Read more

P1: Critical - Discovering and Foiling a Threat Actor

Read more