Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation on 06/22/21 in all areas

  1. This article is about how I found a vulnerability on Apple forgot password endpoint that allowed me to takeover an iCloud account. The vulnerability is completely patched by Apple security team and it no longer works. Apple Security Team rewarded me $18,000 USD as a part of their bounty program but I refused to receive it. Please read the article to know why I refused the bounty. After my Instagram account takeover vulnerability, I realized that many other services are vulnerable to race hazard based brute forcing. So I kept reporting the same with the affected service providers like Microsoft, Apple and a few others. Many people mistook this vulnerability as typical brute force attack but it isn’t. Here we are sending multiple concurrent requests to the server to exploit the race condition vulnerability present in the rate limits making it possible to bypass it. Now lets see what I found in Apple. The forgot password option of Apple ID allows us to change our password using 6 digit OTP sent to our mobile number and email address respectively. Once we enter the correct OTP we will be able to change the password. Apple forgot password page prompting to enter mobile number after entering email address For security reasons, apple will prompt us to enter the trusted phone number along with email address to request OTP. So to exploit this vulnerability, we need to know the trusted phone number as well as their email address to request OTP and will have to try all the possibilities of the 6 digit code, that would be around 1 million attempts (10 ^ 6). As for as my testing, the forgot password endpoint had pretty strong rate limits. If we enter more than 5 attempts, our account will be locked for the next few hours, even rotating the IP didn’t help. HTTP POST REQUEST SENT TO FORGOT PASSWORD ENDPOINT AND ITS RESPONSE Then I tried for race hazard based brute forcing by sending simultaneous POST requests to apple server and found a few more limitations. To my surprise, apple have rate limits for concurrent POST requests from single IP address, not just to the forget password endpoint but to the entire apple server. We cannot send more than 6 concurrent POST requests, it will be dropped. It will not just be dropped but our IP address will be blacklisted for future POST requests with 503 error. Oh my god! That is too much 🤯 So I thought they aren’t vulnerable to this type of attack 😔 but still had some hope since these are generic rate limits across the server and not specific to the code validation endpoint. After some testing, I found a few things iforgot.apple.com resolves to 6 IP addresses across the globe – (17.141.5.112, 17.32.194.36, 17.151.240.33, 17.151.240.1, 17.32.194.5, 17.111.105.243). There were two rate limits we have seen above, one is triggered when we send more than 5 requests to forgot password endpoint (http://iforgot.apple.com/password/verify/smscode) and another one is across the apple server when we send more than 6 concurrent POST requests. Both these rate limits are specific to apple server IP which means we can still send requests (with in limits though) to another apple server IP. We can send upto 6 concurrent requests to an apple server IP (by binding iforgot.apple.com to the IP) from single client IP address as per their limits. There are 6 apple IP address resolved as mentioned above. So we can send upto 36 requests across the 6 apple IP address (6 x 6 = 36) from single IP address. Therefore, the attacker would require 28K IP addresses to send up to 1 million requests to successfully verify the 6 digit code. 28k IP addresses looks easy if you use cloud service providers, but here comes the hardest part, apple server has a strange behavior when we try to send POST requests from cloud service providers like AWS, Google cloud, etc. Response for any POST request sent from AWS & Google cloud They reject the POST request with 502 Bad gateway without even checking the request URI or body. I tried changing IPs but all of them returned same response code, which means they have blacklisted the entire ASN of some cloud service providers if am not wrong 🙄 It makes the attack harder for those who rely on reputed cloud services like AWS. I kept trying various providers and finally found a few service providers their network IPs are not blacklisted. Then I tried to send multiple concurrent POST requests from different IP address to verify the bypass. And it worked!!! 🎉🎉🎉 Now I can change the password of any Apple ID with just their trusted phone number 😇 Of course the attack isn’t easy to do, we need to have a proper setup to successfully exploit this vulnerability. First we need to bypass the SMS 6 digit code then 6 digit code received in the email address. Both bypasses are based on same method and environment so we need not change anything while trying the second bypass. Even if the user has two factor authentication enabled, we will still be able to access their account, because 2FA endpoint also shares the rate limit and was vulnerable. The same vulnerability was also present in the password validation endpoint. I reported this information with detailed reproduction steps and a video demonstrating the bypass to Apple security team on July 1st, 2020. Apple security team acknowledged and triaged the issue with in few minutes of report. I didn’t get any updates from Apple after triage so I kept following up for status updates and they said they are working on a fix on Sep 9th, 2020. Again, no updates for next 5 months and then this email came when I asked for status They said they are planning to address the issue in upcoming security update. I was wondering what is taking so long for them to react to a critical vulnerability. I kept retesting the vulnerability to know whether its fixed instead of relying on them. I tested on April 1st, 2021 and realized a patch for the vulnerability was released to production but still there were no updates from Apple. I asked them whether the issue is patched and the response is same as they have no status updates to share. I was patient and waiting for them to update the status. After a month, I wrote them that the issue was patched on April 1st itself and why am not being updated about it, I also told that I wanted to publish the report to my blog. Apple security team asked me whether it is possible to share the draft of the article with them before publishing. That is when things started to go unexpected. After sharing the draft, they denied my claim saying that this vulnerability do not allow to takeover majority of the icloud accounts. Here’s their response As you can see in the email screenshot, their analysis revealed that it only works against iCloud accounts that has not been used in passcode / password protected Apple devices. I argued that even if the device passcode (4 digit or 6 digit) is asked instead of 6 digit code sent to email, it will still share the same rate limits and would be vulnerable to race condition based brute forcing attacks. We will also be able to discover the passcode of the associated Apple device. I also noticed a few changes in their support page regarding forgot password. Link : https://support.apple.com/en-in/HT201487 The above screenshot shows how the page looks now but it wasn’t the same before my report. In October 2020, that page looked like this Link from web archive : http://web.archive.org/web/20201005172245/https://support.apple.com/en-in/HT201487 “In some cases” is prefixed to the paragraph on October 2020, that is exactly after I was told that they are working on a fix in September 2020. It looks like everything was planned, the page was updated to support their claim of only limited users were vulnerable. That page wasn’t updated for years but getting a minor update after my report. It doesn’t look like a coincidence. When I asked about it, they said the updates are made due to changes in iOS 14. What does resetting password using trusted email / phone number has to do with iOS 14 I asked. If that is true, are trusted phone number and email used to reset the password before iOS 14? If that’s the case, my report is applicable to all Apple accounts. I didn’t get any answer from them. I was disappointed and told them that I am going to publish the blog post with all the details without waiting for their approval. Here’s the reply I got from them. They arranged a call with Apple team engineers to explain what they found in their analysis and also to answer any questions I may have. During the call, I asked why it is different from the vulnerability I found. They said that the passcode is not being sent to any server endpoint and is verified in the device itself. I argued that there is no way for a random apple device to know another device’s passcode without contacting Apple server. They said it is true that the data is sent to server but it is verified using a cryptographic operation and they cannot reveal more than that due to security concerns. I asked what if we find out the encryption process through reverse engineering to replicate it and brute force the Apple server with concurrent requests. I didn’t get any definite answer for that question. They concluded that the only way to brute force the passcode is through brute forcing the Apple device which is not possible due to the local system rate limits. I couldn’t accept what Apple engineers said, logically, it should be possible to replicate what Apple device is doing while sending the passcode data to server. I thought to verify it myself to prove them. If what they said is true, passcode validation endpoint should be vulnerable to race condition based brute forcing. After a few hours of testing I found that they have SSL pinning specific to the passcode validation endpoint, so the traffic sent to the server cannot be read by MITM proxy like burp / charles. Thanks to checkra1n and SSL Kill Switch, using their tool I was able to bypass pinning and read the traffic sent to server. I figured out that Apple uses SRP (Secure Remote Password), a PAKE protocol to verify the user knows the right passcode without actually sending it to the server. So what the engineers said is right, they aren’t sending the passcode directly to server. Instead, both server and client do some mathematical calculations using the previously known data to derive at a key (more like diffie-hellman key exchange). Without getting into the specifics of SRP, let me get straight to what is necessary in our context. Apple server has two stored values namely verifier and salt specific to each user created at the time of setting or updating the passcode. Whenever a user initiates a SRP authentication with username and a ephemeral value A, Apple server responds back with the salt of the specific user and a ephemeral value B. Client uses the salt obtained from server to calculate the key prescribed by SRP-6a. Server uses the salt and verifier to calculate the key prescribed by SRP-6a. Finally they both prove to each other that the derived key are same. Read more about the detailed calculations of SRP-6a here. SRP is known to prevent bruteforce attacks as it has user-specific salt and a verifier, so even if someone steals our database, they will still need to perform a CPU intensive bruteforce for each user to discover the password one by one. That gives enough time for the affected vendor to react to it. But, in our case, we don’t have to bruteforce a large number of accounts. Bruteforcing single user is enough to get into their iCloud account as well as finding their passcode. Brute forcing is possible only when you have both salt and verifier specific to the target user. After bypassing the SMS passcode we can easily impersonate as the target user and obtain the salt. But the problem here is verifier. We should either somehow obtain the verifier from server or bypass the rate limit on key verifying endpoint. If the rate limit is bypassed, we can keep on trying different combinations of key obtained using the precomputed values of the passcode until we arrive at the matching key. Obviously, it requires a lot of computation to derive a key of each 4 or 6 digit numeric passcodes (from 0000/000000 to 9999/999999). When we enter the passcode in an iPhone / iPad during password reset, the device initiates SRP authentication by sending the user session token obtained from the successful SMS verification. The server responds back with the salt of the respective user. The passcode and the salt are hashed to then derive the final key which is sent to https://p50-escrowproxy.icloud.com/escrowproxy/api/recover to check whether it matches the key computed (using ephemeral, salt and verifier) on the server. And the POST request sent to verify the key looked like this String tag has all the data mentioned above but are sent in DATA BLOB format. The first thing I wanted to check is rate limit before decoding the values of BLOB. I sent the request 30 times concurrently to check whether the endpoint was vulnerable. To my shock, it wasn’t vulnerable. Out of 30 requests, 29 of them were rejected with internal server error. Rate limiting would be performed in the Apple server itself or in HSM (hardware security module). Either way, the rate limit logic should be programmed as such to prevent race hazard. There is very bleak chance for this endpoint to be not vulnerable to race hazard before my report because all the other endpoints I tested was vulnerable – SMS code validation, email code validation, two factor authentication, password validation was all vulnerable. If they did patch it after my report, the vulnerability became a lot more severe than what I initially thought. Through bruteforcing the passcode, we will be able to identify the correct passcode by differentiating the responses. So we not only can takeover any iCloud account but also discover the passcode of the Apple device associated with it. Even though the attack is complex, this vulnerability could hack any iPhone / iPad that has 4 digit / 6 digit numeric passcode if my assumption is right. Since it is now validating the concurrent requests properly, there is no way for me to verify my claim, the only way I can confirm this is by writing to Apple but they aren’t giving any response in this regard. I got the bounty email from Apple on June 4th, 2021. The actual bounty mentioned for iCloud account takeover in Apple’s website is $100,000 USD. Extracting sensitive data from locked Apple device is $250,000 USD. My report covered both the scenarios (assuming the passcode endpoint was patched after my report), so the actual bounty should be $350,0000. Even if they chose to award the maximum impact out of the two cases, it should still be $250,000 USD. Selling these kind of vulnerabilities to government agencies or private bounty programs like zerodium could have made a lot more money. But I chose the ethical way and I didn’t expect anything more than the outlined bounty amounts by Apple. https://developer.apple.com/security-bounty/payouts/ But $18,000 USD is not even close to the actual bounty. Lets say all my assumptions are wrong and Apple passcode verifying endpoint wasn’t vulnerable before my report. Even then the given bounty is not fair looking at the impact of the vulnerability as given below. Bypassed the two factor authentication. It is literally like 2FA doesn’t exist due to the bypass. People who are all relying on 2FA are vulnerable. This itself is a major vulnerability. Bypassed the password validation rate limits. All the Apple ID accounts that use common / weak / hacked passwords are vulnerable even if they have two factor authentication enabled. Once hacked, the attacker can track the location of the device as well as wipe the device remotely. 2014 celebrities iCloud hack is majorly because of weak passwords. Bypassed the SMS verification. If we know the passcode or password of the device associated with the iCloud account. Lets say any of your friends or relatives knows your device passcode, using this vulnerability, they can takeover your iCloud account and also can erase your entire device remotely over the internet without having physical access to it. We can takeover all Apple IDs that are not associated with a passcode protected Apple device due to both SMS and email verification code bypass, which means Any apple device without passcode or password, like anyone who turned off or didn’t set the passcode / password. Any Apple ID created without apple device, like in browsers or in an android app and not been used in password protected apple devices For example, 50 Million+ android users have downloaded Apple music app. In those, majority of them may not have used Apple devices. They are still Apple users and their information like credit cards, billing address, subscription details, etc could be exposed. They need not reward the upper cap of the iCloud account takeover ($100k) but it should at least be close to it considering the impact it has created. After all my hard work and almost a year of waiting, I didn’t get what I deserved because of Apple’s unfair judgement. So I refused to receive the bounty and told them it is unfair. I asked them to reconsider the bounty decision or let me publish the report with all the information. There wasn’t any response to my emails. So I have decided to publish my article without waiting for their response indefinitely. Therefore, I shared my research with Apple for FREE of cost instead of an unfair price. I request Apple security team to be more transparent and fair at least in the future. I would like to thank Apple for patching the vulnerability. I repeat, the vulnerability is completely fixed and the scenarios described above no longer works. Thank you for reading the article! Please let me know your thoughts in comments. Source: https://thezerohack.com/apple-vulnerability-bug-bounty
    2 points
  2. i7-3610QM e din 2012! Q2'12, Discontinued Ram ddr-3 Max 32gb ram Intel® HD Graphics 4000 Memory Channels 2 Nimeni nu vrea hardware vechi de 9 ani. Laptopurile cu acest procesor au stat vreo 5-6 ani pe stock in depozit pana sa le cumperi tu. (sau daca sunt SH au fost folosite minim 5-6 ani) De ce e Dacia 1310 mai iefnita decat Dacia duster? Vad ca viteza maxima la amandoua 150km/h
    2 points
  3. @spider mersi frumos, I am scris. astept sa raspunda.
    1 point
  4. 1 point
  5. Sa apara mai intai si pe urma vom vedea cum este Sau ne poate spune cineva care este dev/beta tester la Micro.
    1 point
  6. Restore, daca au funcionat positbil sa isi fi facut update, incearca Restore sau Downgrade
    1 point
  7. pai nu se dezinstaleaza ele raman pe HDD si dupa restart sistemul de operare va instala cel mai indicat driver cred...
    1 point
  8. https://forums.tomshardware.com/threads/should-i-uninstall-drivers-prior-to-installing-new-cpu-video-card-and-memory.1754428/
    1 point
  9. Buton Start - Click dreapta Computer - proprieties - device manager - DVD/CD Rom drives - proprieties - driver - uninstall
    1 point
  10. #beginnersBeginner's Guides SEO SEO News Roundup Beginner's Guide to SEO ContentKing Academy hreflang Guide Google's SEO Guide Bing Webmaster Guide How Google Works by Paul Haahr How Google works for JS Heavy Sites About URLs, LazyLoading, etc Javascript SEO Playlist Plato Web Design SEO Guide How Search works The Anatomy of a Perfect Web Page How Google Crawls a Web Page Webmaster Guidelines Beginner's Guide to Link Building Google Quality Rating Guideline - March 28, 2016 Microsoft Excel for SEOs Google Penalty Removal Web Performance 101 Guide to Website Speed Optimization Log File Analysis for SEO Creative Link Building Ideas Mobile Measurement Glossary Marketing Facebook Blueprint Google Digital Garage How to Start a Startup Ranking Factors Search Engine Ranking Factors Periodic Table Ranking Factors Northcutt Google Ranking Factors #site-auditSite Audit MorningScorePaid SiteProfilerPaid SEMRushPaid SEO Site Checkup Moz On-Page GraderPaid SiteGuru Browseo SEOMatorPaid WooRankPaid Varvy ryte Raven Site Auditor Silktide Nibbler Rocket Validator Tenon.io DareBoost thruuu Mobile Audit Mobile Friendly Test Mobile First Index Checker Mobile-First Auditemail Mobile Moxie Device Emulator Mobi Ready Parito Penalty Checker Enhanced Google Analytics Annotations Website Penalty Indicator Panguin Tool Site Crawlers ContentKingPaid Screaming Frog SEO Spider JetoctopusPaid Netpeak SpiderPaid Sitebulb DeepCrawlPaid BotifyPaid OnCrawlPaid IA Audit Whimsical Octopus.do MindMup MindMeister DYNO Mapper MindNodePaid XMindPaid RarchyPaid Cross-Browser Testing BrowserStackPaid BrowserlingPaid Browser SandboxPaid BrowserShots Browser Plugins View Rendered Source Checkbot MozBar Check My Links Redirect Path Check My Links #a-b-testA/B Testing Omniconvert Google Optimize OptimizelyPaid Visual Website OptimizerPaid AB TastyPaid SEO A/B Tests SanityCheckPaid DistilledODNPaid RankSciencePaid RankSensePaid SEO TestingPaid UpdatablePaid a/b rankingsPaid SparkPaid #adsAds - Promotions Google AdSense Google AdWords BuySellAds Facebook Ads Twitter Ads Pinterest Ads Reddit Advertising Outbrain SyndicateAds Zemanta AdEspresso LinkedIn Advertising Waze Advertising Quora Submission QuuuPaid Startup Lister Instaaa Promote Hour Inspiration Native Advertising Examples Moat AdboxPaid Unicorn Ads DIY Tool BannerBearPaid Bannersnack #ampAMP AMP Validator AMP Page Experience Postlight Mercury AMP by Example Browser Plugins AMP Validator #audienceAudience Sparktoro Facebook Audience Insights Find My Audience #automationsAutomations BabylonTrafficPaid PhantombusterPaid SERP EmpirePaid #data-studioData Studio Google Data Studio Data Studio Templates Keyword data by day CrUX Report #analyticsAnalytics Website Yandex metrica Fullstory Heap Analytics Hotjar Mixpanel Google Analytics Piwik StatCounter WebtrendsPaid Clicky Crazy Egg Segment.io Intercom Observe Baremetrics Keyword Hero Social Media Uprise.io Social Crawlytics Tagboard Shared Count ShareTally PostReach Tools JeptoPaid PaveAI Google Analytics Configuration Tool Referrer Spam Remover GAChecker Training Analytics CoursePaid #appsApps Applyzer Firebase App Indexing The App Launch Checklist #blogsBlogs SEO Moz Search Engine Land SEO by the Sea Search Engine Watch Search Engine Roundtable Backlinko ViperChill Ausisto Insights Marketing Copyblogger BufferApp Blog #chatChat BowtiePaid Drift IntercomPaid Chat Bot MobileMonkey #communitiesCommunities Traffic Think TankPaid IndieHackers Reddit - BigSEO Reddit - TechSEO Moz Q&A WebmasterWorld Black Hat World Warrior Forum #competitorCompetitor Analysis SEMRushPaid SE RankingPaid SimilarWeb Serpstat ahrefs Site ExplorerPaid Browser Plugins Wappalyzer Built With SimilarTech #conferenceConferences SEO TechSEO Boost SearchLove Conference The Inbounder MozCon BlackHatWorld Conference SEO Meetup SMX Advanced Inbound Conductor C3 Conference Marketing Pubcon The Growth Hacking Conference SES Conference Reel Video Summit Content Marketing World South by Southwest Interactive Others SEO conference slides #contentContent ContentlyPaid ScriptedPaid NewsCredPaid KapostPaid CopypressPaid ContentHarmonyPaid Research DashwordPaid TopicPaid NeuralTextPaid BuzzSumoPaid MarketMusePaid ClearScopePaid SocialAnimalPaid SEMRush Content Template Analyzer Frase Surfer Text Tools ryte CognitiveSEO Content Assistant Natural Language Understanding Tone Analyzer Cloud Natural Language API Headline Analyzer nTopic Duplicate Content Copyscape Plagium Quetext Siteliner Inspiration ContentSnippets Hey Nishi Headlime Headline Generator Portent Content Idea Generator Blog Topic Generator Link Bait Title Generator Writing Grammarly Hemingway Browser Plugins Zest.is SEMrush SEO Writing Assistant Extract entities from SERP #content-curationContent Curation Substack Snip.ly Feedly Pocket #conversionsConversions Calls NovocallPaid ResponseiQPaid Calendly PopUp Get Site ControlPaid OptinMonsterPaid #data-enrichmentData Enrichment LeadworxPaid ClearbitPaid MattermarkPaid piplPaid ExperianPaid #data-scrapersData Scrapers AgentyPaid Import.io Docparser ScrapeBoxPaid SERP Scrapers Apify SERP APIPaid Zen SERP Data for SEOPaid Browser Plugins Scraper #domain-toolsDomain Tools NameCheap DNSLookup DNS check DNS Checker Reverse IP DomEye Buy/Sell DomCopPaid 1k ProjectsPaid Investors ClubPaid #e-commerceE-commerce ShopifyPaid WooCommerce Magento Resources Baymard Institute eCommerce Features Matrix Grow My Store #edge-seoEdge SEO SlothPaid RankSensePaid Huckabuy SEO CLoudPaid #emailEmail Worth Exploring Email Markup Gmail Schema Whitelist Request Email CSS Tools Moosend MailerLite MailChimp Revue EmailOctopus MailGun SendPulse NovaPaid SendyPaid SendGrid Betaout AWeberPaid Boomerang SignupSumo Inky's Inliner MailLift MotionMail Email Template Generator Email Testing Inbox Inspector PutsMail LitmusPaid Targeted.io Email on AcidPaid Email Markup Tester Email Sender Reputation Senderbase SenderScore ReputationAuthority BarracudaCentral TrustedSource Email Subject Line Tester Subject Line Test SubjectLine Email Spam Score Email on Acid Litmus Postmark ISnotSpam SpamScoreChecker Postmaster Tools Mail Tester Email Hosting Zoho Email Discovery Email Revealer Elucify Hunter VoilaNorbert Rocket Reach Newsletter Database Newsletter City Upstart.me Paved BuySellAds Email List Validation Email Checker MailTest Email Hippo Email Copy DripScripts Great Email Copy Good Email Copy Good Sales Email Inspiration HTML Email Designs Really Good Emails RivalExplorer NotablistPaid Beetle Browser Plugins Streak Sidekick Rebump FullContact Gmail Autoresponder Clearbit Connect Templates for Gmail Disposable Email Mailinator MailDrop MailDude EmailonDeck 10MinuteMail inboxKitten #enterpriseEnterprise SEO Longtail UXPaid #gamesGames Technical SEO Challenge SEO Pirates the search game HiddenKeywords SEO Crossword Puzzle Where is Larry #growthGrowth Affiliate Program PartnerStack RefersionPaid Smile.io ReferralCandy Viral LoopsPaid Contest Gleam.io RewardsFuel Rafflecopter HeyoPaid Personalization Targeting Monkey Insite #hostingHosting GitHub Pages Digital OceanPaid Netlify Surge Amazon Web ServicesPaid WordPress WordPressPaid KinstaPaid LiquidWebPaid NexcessPaid Managed Cloud Hosting CloudwaysPaid #influencerInfluencer Marketing IntellifluencePaid AssemblyPaid InsensePaid TribePaid ScrunchPaid FamebitPaid TomosonPaid HelloSocietyPaid ReelioPaid Grapevine LogicPaid SocialLadderPaid #instagramInstagram HypeAuditorPaid InsensePaid PicStats Meta Hashtags Instagram Story Templates Bots instato.ioPaid InstazoodPaid #imagesImages Stock Images AllTheFreeStock Image Optimizer Compressor.io Kraken.io Image Editors Fotor Canva Placeit Aesthetic Reverse Image Search Image Raider TinEye Image Delivery Cloudinary Image Analysis Vision AI #keywordsKeywords Keyword Research SERPWoo Keyword Finder Entity Explorer SerpChecker Free Keyword Generator Tool wondersear.ch keyword tool SEMRush Keyword ResearchPaid Autocomplete vs Graph SE RankingPaid SEOMonitor KW Finder Gookey Serpstat WordNet Search Keyword KegPaid Moz Keyword Explorer Sistrix Amazon Keyword Tool ahrefs Keywords ExplorerPaid keyworddit Reddit sense2vec Reddit ngram Keyword Tool Term Explorer Übersuggest LSIGraph Soovle Google Keyword Planner Bing Ads Intelligence Wordstream SERP Keyword Tool WordTrackerPaid Keyword Eye Questions Question DB AnswerThePublic Faq Fox AlsoAsked Question AnalyzerPaid Working with Keywords Add Prefix or Suffix Keyword ClusteringPaid Sentinel Bulk Keyword Generator Moz Keyword DifficultyPaid Merge Words KeywordStudioPaid Word Count Browser Plugins Keyword Surfer WMS Everywhere Keywords EverywherePaid #knowledge-graphKnowledge Graph Knowledge Graph Explorer Knowledge Graph Search #landing-pagesLanding Pages Tools InstapagePaid UnbouncePaid LeadpagesPaid ClickFunnelsPaid Inspiration Screenlane Interfaces.pro SaaS landing page Crayon Land Book Landing Folio Pages.xyz The Best Designs httpster awwwards SiteInspire webdesign-inspiration CSS Winner UI Temple eCommerce Inspiration ecomm.design #link-buildingLink Building LoganixPaid No BSPaid Outreach PetePaid The Upper RanksPaid Citation LabsPaid ContentHarmonyPaid #link-auditLink Audit LinkMinerPaid SEMRushPaid AhrefsPaid Majestic SEOPaid LinkodyPaid Open Site ExplorerPaid LinksSpyPaid OpenLinkProfiler URL ProfilerPaid Netpeak CheckerPaid Link DetoxPaid KerbooPaid Cognitive SEOPaid Monitor BacklinksPaid Markup Helper #localLocal SEO BrightLocalPaid Local VikingPaid GMB Guidelines Checker YextPaid Moz LocalPaid Organization Schema Generator Local SEO Checklist Synup Whitespark myPresences I Search From valentin.app Google Specific Indoor Street View Indoor Maps Google My Business Local Opportunity Finder #log-file-analysersLog File Analysers Screaming Frog Log File Analyser JetoctopusPaid Coralogix Logflare Ryte BotlogsPaid Seolyzer #marketing-automationMarketing Automation Mautic ActiveCampaignPaid User EngagePaid InfusionsoftPaid OntraportPaid ReelevantPaid AutopilotPaid Trigger Events automate.io Zapier TrayPaid If This Then That Microsoft Flow bip.io #newsletterNewsletter tl;dr Marketing Tech Bound SEOFOMO Zero to Marketing The Moz Top 10 SEONotebook Geekout Newsletter #outreachOutreach Mixmax BuzzStreamPaid PitchboxPaid JustReachOut Conspire Charlie App Crystal Onalytica Content #speedPage Speed RequestMap Generator Google Mobile Audit Tool Web Page Test Google PageSpeed Pingdom GTmetrix Persistent Connection Test Load Impact Ping Test Page Speed Revenue Impact Speed Monitor crux.run instant.page Lighthouse CI Diff Optimization Tool Nitropack Browser Plugins Lighthouse #podcastPodcast Experts On The Wire Edge of the Web The Recipe for SEO Success SEO with Mrs Ghost The SEO RANT Search Off the Record Search with Candour Make SEO Simple Again #pressPress Press Mention HARO PressPandaPaid A News TipPaid Submit.co ResponseSourcePaid Muck RackPaid SourceBottle Twitter : #PRRequest Twitter : #JournoRequest Press Release PRLog PR PR-Inside i-Newswire OnlinePRNews PRNewswirePaid PRWebPaid BusinessWirePaid MarketWirePaid PRXPaid PR in a BOXPaid Tools Google News Downloader CoverageBooksPaid #proposalsProposals ProposifyPaid PandaDoc QwilrPaid Quoters #project-managementProject Management Trello Basecamp Notion Asana #proxyProxy BuyProxiesPaid ProxyKeyPaid PIA VPNPaid Proxy Switcher #push-notificationPush Notification OneSignal Pusher VWO EngagePaid Roost #rank-trackingRank Tracking Nightwatch SERPWoo SEMRush Position TrackingPaid SERP Watcher Rank RangerPaid Serpstat Rank TrackerPaid Topvisor AccuRanker Serplab Serposcope SiteoscopePaid RankTrackrPaid Authority LabsPaid Moz Rank TrackerPaid SERPs Rank TrackingPaid SERP BookPaid Mobile Moxie Search Simulator #redditReddit Subreddit Traffic Analysis Subreddit Target Discovery postpone #retargetingRetargeting Interstate Audiences Perfect AudiencePaid AdRollPaid ReTargeterPaid #review-platformsReview Platforms PodiumPaid feefoPaid TrustpilotPaid YotpoPaid YextPaid REVIEWS.ioPaid SpikeflyPaid BirdeyePaid #screen-recordingScreen Recording Screencast-O-Matic Loom ShareX LICEcap OBS Studio Openvid #seo-agency-toolkitSEO Agency Toolkit SEOMonitorPaid Agency AnalyticsPaid STAT Web CEO Self SEOPaid PositionlyPaid Raven ToolsPaid HubSpotPaid SEO PowerSuitePaid Advanced Web RankingPaid Link Research ToolPaid SearchmetricsPaid BrightedgePaid ConductorPaid SistrixPaid LinkdexPaid #seo-alertsSEO Alerts ContentKingPaid Little WardenPaid SEO RadarPaid #fluctuationsSERP Fluctuations SEMRush SensorPaid Mozcast Ayima Pulse SERPMetrics Flux SERPs Volatility Index Algoroo Winners & Losers Rank Risk Index Google Grump Rating Advanced Web Ranking SERP Watch Knowledge Graph Sensor Local RankFlux #shopifyShopify Shopifyfd JSON-LD-Shopify-Snippets SchemaPlus Multi‑Store Hreflang Tags #slackSlack Slack MailClark talkus.ioPaid slalert! Meekan Scheduling Notify.ly Team Time Zone Botkit Statsbot #smsSMS TwilioPaid PlivoPaid Disposable SMS Quackr Receive SMSs SMS Inspiration SMS Archives Really Good Texts #socialSocial SocialPilotPaid SendiblePaid Buffer Hootsuite Sprout SocialPaid SocialHubPaid KlearPaid OktopostPaid Postcron AdJelly Social Hub Browser Plugins Ritetag #social-proofSocial Proof ProofPaid FomoPaid #sslSSL CloudFlare Let's Encrypt SSL Server Test HSTS preload list #structured-dataStructured Data JSON-LD Schema Markup Generator JSON-LD Google Tag Manager Fix FAQ Rich Snippet Generator Schema Paths Merkle Generator Rich Snippets Testing Tool Schema AppPaid Schema.dev inLinks ClassySchema WordLift Sources in KP Reading Structured Data Structured Data Types Browser Plugins OpenLink Structured Data Sniffer #text-editorText Editor VS Code Sublime Text Diffchecker Sublime Text Plugins Package Control XML Indent BracketHighlighter VS Code Plugins change-case Auto Rename Tag Beautify SVG Viewer #toolsTools Google Tag Manager Algolia SumoMe AirTable Audacity HandBrake RankTank Outdated Content Finder SupermetricsPaid SEO Tools for Excel LastPass Cached Pages Webrecorder Sucuri SiteCheck Pingometer Eager Meta Title Length Checker WikiGrabber NerdyData HTTP Server Response Viewer RevPaid BeutlerinkPaid Data Google Data Gallery Atlas StatistaPaid Data for SEOPaid Google Dataset Search Google Public Data Google Planning Tools Web Technology Usage Worldometers Code .htaccess Redirects RegEx101 Build RegEx RegExr Regxlib Xpath Cheatsheet Rapid API ProgrammableWeb Postman MonkeyTest UserBob Critical Path CSS Generator Productivity Noisli Moodil Spreed Browser Plugins Extensity Table Capture Link Clump Pasty #mentionTrack Mention BrandentionsPaid MentionPaid TalkwalkerPaid Google Alerts AwarioPaid Moz Fresh Web ExplorerPaid ElokenzPaid Brand24Paid InterestInsightsPaid Groouply Change Detection Wachete Distill.io VisualPing Versionista #translationTranslation Localize.js Weglot DeepL #trendsTrends Google Trends Muckrack Trends Google Shopping Insights Exploding Topics Pinterest Trends Glimpse Market Trends #twitterTwitter Notifier by Content Marketer Tweriod NarrowPaid SocialRank Followerwonk Crowdfire Buffer Respond Browser Plugins Klear #user-onboardingUser Onboarding elev.ioPaid tooltip.ioPaid Intro.js NickelledPaid InlineManual Hopscotch Shepherd Bootstrap Tour WalkMe AppcuesPaid Tour My AppPaid Inspiration User Onboard User Flow Patterns Hey User #videoVideo Stock Video AllTheFreeStock Video Editors Spreadsheet to Video Maker #virtual-assistantVirtual Assistant onlinejobs.phPaid UpworkPaid jobrack.euPaid #voiceVoice Voiceflow #wireframingWireframing wireframe.cc MockFlow #webmaster-toolsWebmaster Tools Google Webmaster Tools Bing Webmaster Tools Yandex Webmaster Tools Browser Plugins Search Analytics for Sheets #website-scrapersWebsite Scrapers Website Downloader HTTrack #website-toolsWebsite Tools Changelog Beamer Headway #wordpressWordPress ShortPixel Image Optimizer Google Tag Manager for WordPress Autoptimize RankMath Disable Feeds Async JavaScript Yoast Lazy Load XT Redirection AMP Plugin Organizer Simply Static Link WhisperPaid String locator #youtubeYoutube Tools TubeBuddy vidIQ Tubics Promotion MediaMisterPaid ClaimSocialAuthorityPaid #awesomeAwesome Stuff Google Search Operators SparkToro Trending PetitHacks Marketing Examples Growth.design Hangout Library SERP FEatures Glossary #listOther Lists Code My UI Motivational Quotes Brand StyleGuides Beaqn.in WebDesignRepo Call To Idea Good UI UX Recipe UX Archive wwwhere CollectUI Appealing Little Big Details ReallyGoodUX Laws of UX Configurator Database Google Sheets Templates LogoBook SOURCE: https://saijogeorge.com/best-marketing-tools/
    1 point
×
×
  • Create New...