User:TheFreeCollege/sandbox

Pega Infinity
The group found a vulnerability in Pega Infinity which enabled severe information disclosure, enabling an individual to get access to an organization's 0auth tokens. The vulnerability was assigned as CVE-2021-27653.

United Nations Breach
Sakura Samurai's first group disclosure was a Breach of the United Nations, which exposed over 100,000 U.N. Environmental Program employees information. The breach involved exposed Git directories and Git credential files. Using the exposed details, Sakura Samurai dumped the contents of the Git files and cloned repositories. The group was able to get information which included details about U.N. staff travel such as employee ID, names, employee groups, travel justification, start and end dates, approval status, destination and length of stay. Sakura Samurai also managed to obtain human resources data that included personally identifiable information as well as project funding resource records, generalized employee records and employment evaluation reports.

Indian Government Breach
The group was able to cause a large breach across many Indian government assets, and due to the complications from disclosure, the United States Department of Defense Cyber Crime Center opened public communication with the Indian Government to support Sakura Samurai's disclosure.

In the massive breach, Sakura Samurai was able to get obtain full access to the following 28 government servers owned by the country of India: Government of Bihar, Government of Tamil Nadu, Government of Kerala, Telangana State, Maharashtra Housing and Development Authority, Jharkhand Police Department, Punjab Agro Industries Corporation Limited, Government of India's Ministry of Women and Child Development, Government of West Bengal, West Bengal SC ST & OBC Development and Finance Corp., Government of Delhi, Department of Power GNCTD, Government of India, Ministry of New and Renewable Energy, Government of India, Department of Administrative Reforms & Public Grievances, Government of Kerala, Office of the Commissioner for Entrance Examinations, Government of Kerala, Stationery Department, Government of Kerala, Chemical Laboratory Management System, Government of Punjab, National Health Mission, Government of Odisha, Office of the State Commissioner for Persons with Disabilities, Government of Mizoram, State Portal, Embassy of India in Bangkok (Thailand), Embassy of India in Tehran, Consulate General of India, Government of Kerala, Service and Payroll Administrative Repository, Government of West Bengal, Directorate of Pension, Provident Fund & Group Insurance, Government of India, Competition Commission of India, Government of Chennai, The Greater Chennai Corporation, Government of Goa, Captain of Ports Department, and the Government of Maharashtra.

Fermi National Accelerator Laboratory Hack
The group targeted testing Fermilab assets after finding they had a vulnerability disclosure program, and was able to gain access to an open ticketing system where multiple sets of credentials were found. These credentials included the labs Trolley and a Server. Other items the group found included an open FTP server and information on employee security groups which included full names, email addresses, and SSO usernames.

Keybase
The group discovered that Keybase, a privacy application owned by Zoom (Microsoft) was storing images that users deleted on their computers in clear-text, causing privacy concerns with the application. The vulnerability became assigned as CVE-2021-23827.

Apache Velocity Tools
Apache Velocity Tools had a vulnerability that impacted many government sites that caused XSS (Cross Site Scripting). Sophisticated variations of the exploit, when combined with social engineering, can let attackers collect the logged-in users' session cookies, with the potential to hijack their sessions.

The Apache Velocity Tools class containing the flaw is included in over 2,600 unique binaries of prominent software applications available to download from npm, PyPI, Maven Central, and other open-source repositories. The vulnerability became assigned as CVE-2021-23827.

Ford Motor Company
In 2021, a large-scale information exposure vulnerability on Ford's website was confirmed by Sakura Samurai after it was initially discovered by colleagues Robert Willis and break3r. The vulnerability, CVE-2021-27653, would have permitted attackers access to a wealth of Ford's sensitive customer and employee data to run queries and perform administrative actions. Although Ford's misconfigured Pega Infinity customer management system was quickly fixed and the findings reported to Pega in February 2021, Ford's vulnerability disclosure policy per HackerOne requires that a minimum of six months elapse before the release of a disclosure. A breach of Ford's system and access to sensitive data remains unknown as of August 2021, as Ford's system endpoints were taken offline within 24 hours of the disclosure report's release but remained accessible, according to vulnerability researchers.