Cyber Security Blog

Facebook Data Breach Revealed: Moderator systems hacked, Banned Users Being Restored

Author wefightforsecurityPosted on October 30, 2023November 21, 2023Categories web security

In a landmark development, Planet Zuda has successfully played an important role in Facebook amending crucial security issues, now allowing individuals 13+ with banned accounts to access and download some of their personal data. Our research indicates that, as per the California CCPA, all information should be available for download. As of our last assessment, Facebook has yet to allow full downloads of information for banned users.

This breakthrough is one of many direct results of a 3 month long campaign for Facebook to address the serious security breach in their moderation system, which allowed hackers the ability to ban accounts.

What was more intriguing is that these hackers worked in pairs, the one who would ultimately ban the account, hacked it first, and had control, potentially up to two months, before ever doing anything. They would log in every once in awhile, do nothing, and log out. This allowed them to learn where she was going, where she is usually, and where she was planning to be.

Based on what we know, they knew she was planning to go to a concert, so while our client was at the Taylor Swift ERAS concert in Los Angeles, the second hacker came on the scene, after she posted she was at the concert., tthat they knew she would be distracted for several hours, so when an alert came across her phone during the concert, asking if she just logged in, which she had, she pressed yes and went back to the concert.

Unbeknownst to any of the hacking, the second hacker had gained control of her account, which went through her account, changed the language and time zone and when the concert was about to end, they added the words copyright infringement to her last name, and than the first hacker took over and banned the account.

This lead to the ban to appear it was triggered by Facebooks AI, responding to the words copyright infringement in the name, which is in fact, a technique they used repeatedly as shown in this Reddit thread.

Facebook confirmed our findings that they were hacked, when we filed with their bug bounty program. Below are two screen shots of our communication with Facebook.

We unwaveringly communicated to Facebook’s legal representatives, which lead to the partial download of your information for banned accounts being added the next day after we contacted them. We also informed them of the breach in their clients systems multiple times. We than started a vigorous campaign that, while was initially focused on the restoration for our clients account, it evolved into trying to get all accounts banned by hackers reinstated, by spreading awareness of the issue to the FBI, FTC, the Department of Justice, and reporters.

We reached out to two attorney generals before we became aware of the scope of the hack, so they only have our initial findings about our clients hack.

Our hundreds of hours of work, culminated in a significant victory on October 25th, when it was discovered that previously banned accounts were being reinstated en masse. These accounts changed from banned to locked, which now awaits verification from their legitimate owners email addresses and phone numbers that they provided prior to their accounts being hacked. In other words, Facebook reverted all the banned accounts by the hackers to their original unhacked state.

What is concerning for parents about the data breach, is that these hackers had moderator powers, presumably could’ve hacked teens accounts and now their communications might be for sale that criminals can buy. This intertwines with the Meta employees testifying that they weren’t protecting teens, and this data breach sends that message home, for teens and adults of all ages. If anyone under the age of 13 uses Facebook they also could’ve been compromised during this breach.

A positive result from this hack, is that they have now added additional security to the login sequence for Facebook moderators, now you have a code tied to your laptop, that you have to provide. It’s important to note that it still allows passwords, though it appears that iss being phased out, due to the breach.

While Facebook has yet to issue a formal disclosure of the breach or submit the hack to the California Attorney General Data Security breach system, When they submit confidential information of how the hack occurred is only visible to the Attorney General, but the fact that a breach has occurred, is available for all to see.

Conclusion: In an era where our digital footprints expand with each passing day, the importance of cybersecurity cannot be overstated. This incident with Facebook serves as a stark reminder of the vulnerabilities that exist, even within the platforms we consider most secure. It’s not just about protecting our online presence, but also about safeguarding our personal information, our memories, and in some cases, our personal safety. At Planet Zuda, our commitment goes beyond just identifying these vulnerabilities. We strive to ensure that digital platforms take responsibility, rectify breaches, and most importantly, prioritize the safety of their users.

Engage with Us: Have you or someone you know experienced similar cybersecurity concerns? We’d love to hear your stories and insights. Share your experiences in the comments below, or email us for help. By spreading awareness, we can collectively push for a safer digital future. If you found this information valuable, consider sharing this post on your social channels. Together, we can make a difference.

Introducing SEO & Redirect 3.1: Empower Your Site with Custom SEO Descriptions for Every Post and Page

Author wefightforsecurityPosted on May 28, 2023June 2, 2023Categories web security

In a constant effort to improve user experience and eliminate frustrating 404 errors, we initially developed SEO Redirect Editor. This innovative program aimed to tackle the issue of broken links, ensuring a seamless browsing experience. Building upon its success, we released version 2, which not only addressed flaws found in other SEO programs but also provided automatic error removal.

Now, we are thrilled to unveil SEO & Redirect 3.1, a major milestone in our journey. With this latest version, we introduce the ability to create SEO descriptions directly within our application.

But you may be wondering, where is the “Save SEO Description” button? Rest assured, we designed SEO & Redirect 3.1 to align with the expectations of modern users. Say goodbye to clunky user interfaces and welcome a streamlined approach. Simply write your SEO description, hit “Save Draft” or “Publish,” and voila! Your meticulously crafted description is instantly published alongside your content, visible to web crawlers. It’s fast, simple, and hassle-free.

So, what lies ahead for SEO & Redirect? Our commitment to enhancing this powerful tool remains steadfast. We’ve already heightened security and improved loading speeds, ensuring a safer and faster experience for our users. But we’re not stopping there. We have exciting plans in the pipeline, including further version releases and feature additions, all aimed at enhancing your SEO capabilities and boosting your online presence.

Ethereum Smart Contract Preventing Other Solidity Contracts From Hacking You

Author wefightforsecurityPosted on August 25, 2021August 25, 2021Categories web securityTags ,

An Ethereum Smart Contract is written in Solidity, and has many built in-security features. In this article we are discussing a security feature, which is a specific Ethereum modifier that stops people from writing another smart contract that can interact with yours.

What is an Ethereum modifier?

It is in layman terms, built-in functions you can use in your own contract. While some smart contracts need to allow other Smart contracts to communicate with them, others it poses a great security risk to them. The Ethereum Modifier in Ethereum Smart Contracts called OnlyOwner is a great security feature. The name is very straightforward, There is Only the Owner of the Contract should be able to make changes.

modifier onlyOwner { require(msg.sender == owner); _; }

Great, now you have the modifier available to use, if you put this in your contract, but now you need to actually use it, not just have it there. If you’re writing a solidity file called Owned, then you should have the line that says 

function transferOwnership(address newOwner) public onlyOwner {

        owner = newOwner;
}

and in Congress.sol, you should put 

contract Congress is owned, tokenRecipient {
/// your stuff here }

This works great, if you are following the Solidity Style guide, which is where the code snippets are from. Always follow the Solidity Styles whenever possible.


Hopefully this quick review of the Ethereum Smart contract modifier OnlyOwner has been helpful for you when writing your contract in Solidity. We understand this isn’t always an option, which is why we have a lot more articles coming soon for you.

Recovering Hacked Facebook & Defeating Porn Ransom

Author wefightforsecurityPosted on July 13, 2021November 2, 2023Categories web security
Cyber crime
Dealing with active cyber crime

Hacked Facebook and picture being held ransom cybercrime

Intent and motive are two important parts of solving any crime, the same goes for cyber-crime.

This is a real case we had with the names anonymized for privacy purposes. Someone woke up Saturday morning to two rude surprises. We dealt with a compromised Facebook while also dealing with ransom of a picture from a compromised email address.

Many experts say pay the ransom, but the ransom had already been paid two weeks ago. This was before they reached out to us.

This has two moving parts, a hacked facebook and a ransom of a personal porn picture that no one wanted released. We are going to cover how we dealt with the hacked Facebook first.

How to identify who hacked your Facebook

Make sure all tabs are closed and no applications are running in the background on your desktop. This is so you can see what IP addresses are inbound with as much accuracy as possible. While we prefer wireshark, you can do the below, as wirehark has a steep learning curve for most.

  1. open up Facebook messenger
  2. Open up command prompt on Windows and when the person is writing, where you see those bubbles type netstat -an and hit enter. This will show all outbound and inbound IP addresses, 192.168 is an internal IP for every computer, as is 127.0.0.1. Ignore those addresses as those are from your machine.
  3. Analyze the inbound IP addresses, then use an IP reverse lookup to google maps. This is helpful if the attacker forgets to mask their identity with say, a VPN or Tor.
  4. Check lists of known VPNS and tor relays. This isn’t full proof, but it is helpful, as you will see in a minute.

The compromised Facebook was asking everyone for $500 in BTC or an ebay gift card. They were also portraying themselves as an old lost friend by changing the accounts name. Playing along got us enough of the same IP addresses repeatedly, which is what was needed. When we brought up the town they were in and how it was was they replied “Good”. When they were told there was plenty of evidence against them they deleted the facebook, or so they thought.

The head of Facebook Security is involved and they should restore the account.

Porn Ransom and how to combat it

The second problem, the porn ransom of the picture is where we are now. This took time to solve and when you have a ransom you’re short on time. The demand of money for the ransom continued.

I finally decided to stop focusing on the ransom and the pornography and treat the criminal like a human. What was the motivation behind the crime, why did they need this money? Once asked, they claimed they needed it for something in their house. This was a major breakthrough, because my reply was simple. I offered to teach them how to make that money legally with some apps, if you delete the picture permanently. They agreed to the terms, and I showed them how to make $500 really quickly online.

The picture was allegedly permanently deleted, but with criminals, well take everything with a grain of salt.

Regaining control of a hacked email and securing it after a hack

We regained control of the compromised email, so unless they downloaded the contacts, they had nowhere to post it, since the socials were also tightened down.

Moral of these two cases is pretty straightforward, everyone wants something. In these cases, isolate the two most important things the what they want and why they want it. I was then able to show them a legal way to obtain it.

The hacked Facebook case doesn’t appear to be related, as the tone of the writing, the words chosen, and timestamps of the messages are radically different between the two people. What we were told for free is that the image is somewhere on the deep web with the contact info, so this issue may persist. Time will tell.

We take pride in pro-actively and re-actively fighting threats, which in simple terms means we do both defense and offense security. If you need help, just contact us.

wp_create_nonce does not secure you against CSRF or XSRF

Author wefightforsecurityPosted on March 31, 2021March 31, 2021Categories csrf, wordpress functions security, wp securityTags , , , , , , ,

What is wp_create_nonce and what is it for?

wp_create_nonce is a function for theme and plugin developers using WordPress. The majority of developers understandably believe this secures their forms from cross site request forgery, unfortunately it doesn’t. WordPress is great at making functions for developers that any reasonable person would believe has security built-in. When it comes to WordPress that isn’t the case.

How do I secure forms from hackers?

wp_create_nonce is a good starting point, but you have to use wp_verify nonce, to validate that the form protection against CSRF will actually work. If you just do wp_create_nonce, it is like putting a lock on a door, with tape, that anyone can remove. When you use wp_verify_nonce in your code, it is like properly securing the lock, which should’ve happened in the first place.

Why should my forms be secure against CSRF & hackers?

Forms interact with the users database, and many admin forms don’t prevent from malicious content being submitted. So, an attacker could inject their own malicious code, damage your site, or do anything they want as that user.

Now I can hear you rolling your eyes and saying CSRF isn’t a problem, because it requires a logged in developer to go to a malicious site. That isn’t true, yes, it requires a logged in developer going to a site, but it doesn’t have to be one that is inherently malicious. Also, interaction isn’t required, if you properly automate things. Their site can be attacked while they look at a picture or play a game. It is deceptively easy to misuse insecure forms. While CSRF isn’t as bad as sql injections or how most developers use is_admin(), it certainly needs to be secured.

In conclusion, secure all your code.