Author: wefightforsecurity

Introducing SEO & Redirect 3.1: Empower Your Site with Custom SEO Descriptions for Every Post and Page

Author wefightforsecurityPosted on May 28, 2023June 2, 2023Categories web security26 Comments on Introducing SEO & Redirect 3.1: Empower Your Site with Custom SEO Descriptions for Every Post and Page

In a constant effort to improve user experience and eliminate frustrating 404 errors, we initially developed SEO Redirect Editor. This innovative program aimed to tackle the issue of broken links, ensuring a seamless browsing experience. Building upon its success, we released version 2, which not only addressed flaws found in other SEO programs but also provided automatic error removal.

Now, we are thrilled to unveil SEO & Redirect 3.1, a major milestone in our journey. With this latest version, we introduce the ability to create SEO descriptions directly within our application.

But you may be wondering, where is the “Save SEO Description” button? Rest assured, we designed SEO & Redirect 3.1 to align with the expectations of modern users. Say goodbye to clunky user interfaces and welcome a streamlined approach. Simply write your SEO description, hit “Save Draft” or “Publish,” and voila! Your meticulously crafted description is instantly published alongside your content, visible to web crawlers. It’s fast, simple, and hassle-free.

So, what lies ahead for SEO & Redirect? Our commitment to enhancing this powerful tool remains steadfast. We’ve already heightened security and improved loading speeds, ensuring a safer and faster experience for our users. But we’re not stopping there. We have exciting plans in the pipeline, including further version releases and feature additions, all aimed at enhancing your SEO capabilities and boosting your online presence.

How We Could’ve avoided The Bored Ape Apocalypse

Author wefightforsecurityPosted on May 1, 2022May 2, 2022Categories web security15 Comments on How We Could’ve avoided The Bored Ape Apocalypse
Bored Ape Apocalypse pic of ape #6068
Royalty free usage of bored ape 6068 https://opensea.io/assets/0xbc4ca0eda7647a8ab7c2061c2e118a18a936f13d/6068

If you are interested in colossal tech debuts and those who have epic failures, Yuga labs is easily on the top ten list after the bored ape apocalypse they created with the debut of otherside, on April 30th, 2022.

What is Yuga labs, how are bored apes involved?

If you aren’t in the NFT scene, Yuga labs the owners of Bored Ape Yacht club had a new mint for what they call the otherside, which included land for those who aren’t bored apes, allowing more people into their profitable eco-system.

How did things go wrong with The Otherside mint?

Like any gigantic project bringing tons of people in, you need to plan how to do this without driving up the fee for transactions on the ethereum network drastically and how to ensure you don’t crash the network.

Gas hit an all time high of 6000 gwei, if you don’t know what that means it was over 45 thousand dollars for some people to just pay the fee to have the privilege to pay more money to mint. This is basically a tax of using the ethereum network, or at least it is the easiest way to explain it, as our articles are aimed for everyone.

Why did it cost so much Ethereum?

The code for people to buy land was poorly written for lowering cost, this code is commonly known as a smart contract. 3 or 4 tweaks plus using a raffle or wave system to create rounds of people to mint, to avoid spiking the price of gas could’ve saved over 80 million dollars in fees to all the end users, which at the time this tweet thread was written would’ve cut the costs of minting down to 20 million from the then current amount of 100 million. In this scenario safemint wasn’t needed, and erc721enumerable, which is used to track ownership of nfts on chain, wasn’t needed. We never use erc721enumerable, ever.

There are many efficient ways without using the commands above to make a mint safe, and how to track ownership, yet yuga labs instead burned at the point in time when this was written 80 million dollars. Some estimates say by the end of the mint it was 160 million dollars, which could’ve been cut down to only 40 million dollars lost, but if the wave system had been introduced, I hazardly guess 10 million or less would’ve been lost. Of course, if they had also used 721a, far less money would’ve been lost as well despite it being somewhat bloated, it is the best free contract out there.

Why didn’t Yuga labs fix this? They have tons of employees, how could they lack the skills?

That is where things start to get worrisome from a legal standpoint, Yuga labs made an announcement, that basically can be boiled down to “we broke ethereum, we need to create a competitor” when literally less than 2 dozen characters changed would’ve saved up to 140 million dollars. It wasn’t a fault with the network, it was a fault with their code, which created a lot of people asking if this was intentional, did they plan this as a promotion for their own network? If so, this could potentially fall under the UK and US laws against abusing systems, which has jail time and fines.

https://twitter.com/darran0x/status/1520618405774077952?s=20&t=fc8ciCaYndJnCfOUDb0DdQ

We don’t write these words lightly, in fact, we wish it wasn’t necessary but after the display and their statement on what happened, it looked like they intentionally destroyed up to 160 million dollars while crashing the Ethereum network, which could lead to legal action if anyone involved decides to take it.

What is happening now?

The rich and careless with their money are blaming others for complaining about the insane mint price, since the land is now worth more than what they minted at. These people don’t even mention that it cut out the people who didn’t have the money for mint, and refuse to keep yuga labs accountable for the loss of their money that wasn’t needed for what occurred to happen.

What are influential people saying about the bored ape metaverse land mint?

Gary Vee is praising them for innovation without directly mentioning them, yet he knows that gas optimization isn’t hard or innovative, it is the rich and careless with their money glossing over the fact that a ton of money was destroyed.

While Gary Vee is on point with much of his commentary, he completely missed the point here.

This will be updated if need-be, but we believe this sums up the chaos of the bored ape mint and the money lost that shouldn’t have been.

Update: Forgot to mention some of the tweaks were raffles and waves

Ethereum Smart Contract SelfDestruct, Destroys Your Contract

Author wefightforsecurityPosted on August 28, 2021August 28, 2021Categories web securityTags , , , 2 Comments on Ethereum Smart Contract SelfDestruct, Destroys Your Contract

Ethereum logo used to discuss Self Destruct.
Ethereum Logo from Wikipedia

Ethereum Solidity code is used for writing smart contracts in Ethereum and a feature is called SelfDestruct. This is basically a function, that has existed in the Ethereum protocol since 2013. We are diving into Self Destruct and the problems with it.

What does Self Destruct do?

Self Destruct is written as SelfDestruct in the Solidity code. SelfDestruct can be used to dynamically update code, or delete code. A problem with SelfDestruct is no permission is needed for someone else to use it to update your code or delete code from an external contract. You also don’t have to use SelfDestruct within your code, as there are at least two other functions that can be used in an external contract for you to run it. Those functions are DelegateCall and CallCode, which are used a lot. No authentication or form of consent is needed for external contracts to modify your contract.

Someone can write a separate Ethereum Smart Contract written in Solidity that can interact with your Smart Contract. The other Smart contact can steal eth, delete the contract, updating the contract, or alter it. We wrote about stopping Ethereum contracts from being able to interact with your contract in our OnlyOwner article.

Some contracts need to interact with other contracts, which introduces a re-entrancy attack, unless it is secured. Securing against re-entrancy attack can be simple or complex, depending on how your code is written. These are just a few things that you want your smart contract secured against.

SelfDestruct is not the only function that can be used to modify another smart contract, but it is the one we are focusing on today. The creator of Ethereum looking back, wouldn’t have added SelfDestruct and they’re looking at a way to remove it, or make it not as much of a threat as it is now.

Smart Contracts can be written as secure as humanly possible, though based on what we discussed above, it is clear that the Ethereum blockchain is not in any form an immutable blockchain.

If you are writing a smart contract and need help, you can hire us, or contact us. You can also tweet us.

Ethereum Smart Contract Preventing Other Solidity Contracts From Hacking You

Author wefightforsecurityPosted on August 25, 2021August 25, 2021Categories web securityTags , 4 Comments on Ethereum Smart Contract Preventing Other Solidity Contracts From Hacking You

An Ethereum Smart Contract is written in Solidity, and has many built in-security features. In this article we are discussing a security feature, which is a specific Ethereum modifier that stops people from writing another smart contract that can interact with yours.

What is an Ethereum modifier?

It is in layman terms, built-in functions you can use in your own contract. While some smart contracts need to allow other Smart contracts to communicate with them, others it poses a great security risk to them. The Ethereum Modifier in Ethereum Smart Contracts called OnlyOwner is a great security feature. The name is very straightforward, There is Only the Owner of the Contract should be able to make changes.

modifier onlyOwner { require(msg.sender == owner); _; }

Great, now you have the modifier available to use, if you put this in your contract, but now you need to actually use it, not just have it there. If you’re writing a solidity file called Owned, then you should have the line that says 

function transferOwnership(address newOwner) public onlyOwner {

        owner = newOwner;
}

and in Congress.sol, you should put 

contract Congress is owned, tokenRecipient {
/// your stuff here }

This works great, if you are following the Solidity Style guide, which is where the code snippets are from. Always follow the Solidity Styles whenever possible.


Hopefully this quick review of the Ethereum Smart contract modifier OnlyOwner has been helpful for you when writing your contract in Solidity. We understand this isn’t always an option, which is why we have a lot more articles coming soon for you.

Recovering Hacked Facebook & Defeating Porn Ransom

Author wefightforsecurityPosted on July 13, 2021July 13, 2021Categories web security14 Comments on Recovering Hacked Facebook & Defeating Porn Ransom
Cyber crime
Dealing with active cyber crime

Hacked Facebook and picture being held ransom cybercrime

Intent and motive are two important parts of solving any crime, the same goes for cyber-crime.

This is a real case we had with the names anonymized for privacy purposes. Someone woke up Saturday morning to two rude surprises. We dealt with a compromised Facebook while also dealing with ransom of a picture from a compromised email address.

Many experts say pay the ransom, but the ransom had already been paid two weeks ago. This was before they reached out to us.

This has two moving parts, a hacked facebook and a ransom of a personal porn picture that no one wanted released. We are going to cover how we dealt with the hacked Facebook first.

How to identify who hacked your Facebook

Make sure all tabs are closed and no applications are running in the background on your desktop. This is so you can see what IP addresses are inbound with as much accuracy as possible.

  1. open up Facebook messenger
  2. Open up command prompt on Windows and when the person is writing, where you see those bubbles type netstat -an and hit enter. This will show all outbound and inbound IP addresses, 192.168 is an internal IP for every computer, as is 127.0.0.1. Ignore those addresses as those are from your machine.
  3. Analyze the inbound IP addresses, then use an IP reverse lookup to google maps. This is helpful if the attacker forgets to mask their identity with say, a VPN or Tor.
  4. Check lists of known VPNS and tor relays. This isn’t full proof, but it is helpful, as you will see in a minute.

The compromised Facebook was asking everyone for $500 in BTC or an ebay gift card. They were also portraying themselves as an old lost friend by changing the accounts name. Playing along got us enough of the same IP addresses repeatedly, which is what was needed. When we brought up the town they were in and how it was was they replied “Good”. When they were told there was plenty of evidence against them they deleted the facebook, or so they thought.

The head of Facebook Security is involved and they should restore the account.

Porn Ransom and how to combat it

The second problem, the porn ransom of the picture is where we are now. This took time to solve and when you have a ransom you’re short on time. The demand of money for the ransom continued.

I finally decided to stop focusing on the ransom and the pornography and treat the criminal like a human. What was the motivation behind the crime, why did they need this money? Once asked, they claimed they needed it for something in their house. This was a major breakthrough, because my reply was simple. I offered to teach them how to make that money legally with some apps, if you delete the picture permanently. They agreed to the terms, and I showed them how to make $500 really quickly online.

The picture was allegedly permanently deleted, but with criminals, well take everything with a grain of salt.

Regaining control of a hacked email and securing it after a hack

We regained control of the compromised email, so unless they downloaded the contacts, they had nowhere to post it, since the socials were also tightened down.

Moral of these two cases is pretty straightforward, everyone wants something. In these cases, isolate the two most important things the what they want and why they want it. I was then able to show them a legal way to obtain it.

The hacked Facebook case doesn’t appear to be related, as the tone of the writing, the words chosen, and timestamps of the messages are radically different between the two people. What we were told for free is that the image is somewhere on the deep web with the contact info, so this issue may persist. Time will tell.

We take pride in pro-actively and re-actively fighting threats, which in simple terms means we do both defense and offense security. If you need help, just contact us.