Tapatalk says add-on exploit discloses emails and passwords - but which??

[Mouth]

Today we discovered that someone had used an exploit in a third party plugin on the Tapatalk support forums, leading to the disclosure of email addresses and encrypted passwords, and possibly passwords in cleartext if you attempted to login since December 9th.

Does anyone know which add-on? Has this been disclosed to XF?

 

[Mouth]

What happened was that someone used an exploit in a non-Tapatalk bit of code to gain access to the database on the support forum were they extracted from the database amongst things, encrypted passwords but they also modified Xenforo on the evening (US time) of December 10th so that it logged unencrypted passwords when you logged in. These were streamed off directly to a server in Sweden.

 

[Mouth]

I will pass the code to the Xenforo developers so that it can be looked at for a clearer picture of what happened.

Hopefully XF will fully inform us ??

 

[arn]

ya, no news yet. but am paying attention to it myself too.

 

[RobinHood]

 

[Jim Boy]

My money is on a badly composed bespoke add-on, I think it would have been reported here first if that wasn't the case

 

[Paul B]

Hopefully XF will fully inform us ??

We know nothing about it.

 

[MattW]

We know nothing about it.

 

[Paul B]

paul@tapatalk has contacted me and confirmed the exploit was not related to XenForo but to WordPress.

Also stated here: https://support.tapatalk.com/threads/tapatalk-exploit-by-3rd-party-add-on-which.27446/#post-145251

The entry vector was not via Xenforo or the tapatalk plugin on support, it was via wordpress.

 

[Chris D]

Sounds like they ought to get their facts right before pointing fingers in the future!

 

[rainmotorsports]

Sounds like they ought to get their facts right before pointing fingers in the future!

Quadruple post!

Well they blamed an add-on from the start. Was it just WP or was it a bridge plugin causing the actual vulnerability? Sounds like they did point the finger wrong but eh.

 

[Ingenious]

This is a terrible email - I got it too - it is worded to quite clearly blame a forum plugin, so when I went and found their forum runs Xenforo, like every Xenforo owner, I panicked. Now they are saying it has nothing to do with Xenforo. Also their email contained a link to the TT client area. When I clicked it, I was already logged in. How is that possible, if they reset the passwords (and I have not logged in for some time either, so I hope the email link was not a direct route to my private area!)? It also took my old password when I reset it. I'd post this on the TT support forum, but I'm scared to log in there now, in case "they" are watching me and stealing my precious bodily fluids.

 

[Floyd R Turbo]

Agreed. The first thing I thought was that the add-on was hacked, meaning, all of my forum users info was hacked. Thankfully this was not the case, it turned out only to be users of the Tapatalk XF support forum, and then, only users who had manually logged in since the 12/10. Unfortunately, I was one of those as I needed to do so after a username change - and I might note, after I did this, the app on my iOS acted very strangely, I changed my username and it kept wanting to change it back, kept logging me in to my account then erroring out and saying that I had to log in again (in which case it had switche dme back to my old login username)...wondering if that is related at all.

 

[MattW]

Unfortunately, we are going to have to take their word on what was accessed and stolen.

They have said data was being streamed back to a server in Sweden. This being the case, they could have been streaming anything back to it they wanted.

The forum being breached is the best case admittance given what their app does.

After seeing how they have operated over the years, and how the keep introducing more and more bugs into their own app, this is the final straw for me. I reinstalled it for the few members who wanted it. It's gone for good now.

 

[Andy.N]

I have uninstalled years ago.

 

[Amaury]

We never bothered installing it as we saw no need for it, and we certainly don't plan on installing it in the future.

 

[Snog]

I'd like to thank TapaTalk for exposing an email address that has never had a single spam email in it's history. I'll just bet that changes now.

 

[Mouth]

@ https://support.tapatalk.com/threads/tapatalk-exploit-by-3rd-party-add-on-which.27446/ they have clarified that it was wordpress exploit for http://blog.tapatalk.com/ that was installed on the same server. It would seem that this wordpress exploit apparently allowed them to overwrite/replace XF code that shipped usernames and unencrypted passwords at logon time to an external server.

 

[Jim Boy]

Whilst it is a WP issue, it is a timely reminder for any forum owner that add-on code has the potential to compromise a forum, either through poor coding or something more nefarious.

 

[WoodiE]

It would seem that this wordpress exploit apparently allowed them to overwrite/replace XF code that shipped usernames and unencrypted passwords at logon time to an external server.

Which begs the question, why would the hacker(s) stop at just the support forum? How do we know they haven't modified other code or other exploits and have gathered personal forum admin information such as name, address, business tax id / SSN for those admins that have monetization enabled via tapatalk?

This entire process has been a cluster fluff from the start. An email telling users to reset their password with the links pointing to the Tapatalk Admin CP, then stating the Admin CP wasn't hacked but only the support forums. Stating old passwords have been de-activated when in fact old passwords still worked fine. Blaming a XF addon then reporting it wasn't XF but instead Wordpress or some addon for WP.

For me, I get the feeling they have no idea what has or hasn't been compromised nor how said hacker did their deed.