Leon Johnson

Leon Johnson

Offensive Privacy Lead at TikTok

Breaking things that need breaking for 20+ years.

TikTok Rapid7 RSA Conference BSides Forrester
Get in Touch Download Resume
0
Years
0
CVEs
0
Talks
0
Tools
0
Pen Tests
0
Writeups About My CTF
Career

Experience

2024 – Present
Offensive Privacy Lead
TikTok (USDS)

Leading offensive privacy testing and vulnerability research for TikTok's US Data Security initiative. Co-discovered CVE-2026-28279 and CVE-2026-28280 in osctrl.

2023 – 2024
AI Security Researcher
RunSybil

Researched AI security threats and developed automated security testing methodologies for AI/ML systems.

2011 – 2023
Principal Security Consultant
Rapid7

12 years of penetration testing, red teaming, and social engineering. Spoke at RSA Conference, Forrester Forums, and Security BSides. Featured in Under the Hoodie reports.

2007 – 2010
Senior Security Consultant
Texas DIR

Conducted security assessments for state government agencies across Texas.

2004 – 2007
Information Security Analyst
CIAS / UTSA

Security analysis and research at the Center for Infrastructure Assurance and Security at the University of Texas at San Antonio.

Research

Vulnerability Research

CVE-2026-28279
HIGH 8.4 AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
osctrl < 0.5.0

OS Command Injection in osctrl-admin. Authenticated admin injects shell commands via hostname parameter in environment configuration. Commands embed into enrollment scripts via Go's text/template and execute as root/SYSTEM on all enrolling endpoints before osquery installation. CWE-78.

NVD Advisory

Co-discovered with Kwangyun Keum @ TikTok USDS Offensive Privacy Team

CVE-2026-28280
HIGH 8.7 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
osctrl < 0.5.0

Stored XSS in osctrl-admin on-demand query list. Low-priv user injects JavaScript via query parameter. Payload persists and executes in any viewer's browser, including admins. Chainable with CSRF token extraction for privilege escalation and full platform compromise. CWE-79.

NVD Advisory

Co-discovered with Kwangyun Keum @ TikTok USDS Offensive Privacy Team

Open Source

Tools & Projects

github.com/sho-luv... repos, ... followers
Mr. Robot CTF
Beginner-intermediate CTF I created. 90+ community writeups over 10 years.
mavs
Mobile Application Vulnerability Scanner
zerologon
CVE-2020-1472 — check, exploit, restore DC password
mount_shares
Mount all readable CIFS shares locally for easy parsing
gpt_tools
AI-assisted pen testing and red team tools
React2Shell
CVE-2025-55182 toolkit — CLI, Chrome extension, Nuclei templates
MongoBleed
CVE-2025-14847 scanner — unauthenticated MongoDB heap memory leak
mass-effect
Uses Masscan to identify open ports with known exploits
jwtmap
JWT vulnerability mapper — like SQLMap but for JSON Web Tokens
Serpico
Pen test report writing tool (code contributor)
Presentations

Speaking

20 talks across RSA Conference, Security BSides, Forrester Forums, Rapid7 UNITED, and corporate events spanning 12 years.

Press

Media & Podcasts

2026
Software Supply Chains Under Pressure: Malware & AI
Xygeni SafeDev Talk
2025
Open Source, AI & The New Attack Surface
Xygeni SafeDev Talk
2025
Ep 127: I Am Your Permission
Layer 8 Podcast
2020
Ep 29: Social Engineers from Rapid7
Layer 8 Podcast
2018
Ep 85: Supply Chain Attacks & Hacking Diversity
Security Ledger
2017
Under The Hoodie — Picked Off on the Kickoff
Rapid7
2017
Ep 5: Pentest Fails
Hillbilly Storytime
Articles

Writing

This One Time on a Pen Test: How I Stole an Energy Company
Rapid7 Blog
Ask a Pen Tester Q&A
Rapid7
Under the Hoodie: Ask a Pen Tester (PDF)
Rapid7

Blog

Loading latest posts...

View all posts →
Credentials

Certifications

OSCP
Active
NSA IAM
Active
NSA IEM
Active
CISSP
Inactive
CEH
Inactive
Bonus

For Fun

Leon's Resume Podcast
AI-generated podcast about my resume

Let's Connect

Available for speaking, advisory roles, and security consulting.

Email Me Download Resume
GitHub LinkedIn Twitter Bluesky