• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Tapatalk says add-on exploit discloses emails and passwords - but which??

Mouth

Well-known member
#1
tapatalk said:
Today we discovered that someone had used an exploit in a third party plugin on the Tapatalk support forums, leading to the disclosure of email addresses and encrypted passwords, and possibly passwords in cleartext if you attempted to login since December 9th.
Does anyone know which add-on? Has this been disclosed to XF?
 

Mouth

Well-known member
#2
tapatalk said:
What happened was that someone used an exploit in a non-Tapatalk bit of code to gain access to the database on the support forum were they extracted from the database amongst things, encrypted passwords but they also modified Xenforo on the evening (US time) of December 10th so that it logged unencrypted passwords when you logged in. These were streamed off directly to a server in Sweden.
 

Jim Boy

Well-known member
#6
My money is on a badly composed bespoke add-on, I think it would have been reported here first if that wasn't the case
 

Ingenious

Well-known member
#12
This is a terrible email - I got it too - it is worded to quite clearly blame a forum plugin, so when I went and found their forum runs Xenforo, like every Xenforo owner, I panicked. Now they are saying it has nothing to do with Xenforo. Also their email contained a link to the TT client area. When I clicked it, I was already logged in. How is that possible, if they reset the passwords (and I have not logged in for some time either, so I hope the email link was not a direct route to my private area!)? It also took my old password when I reset it. I'd post this on the TT support forum, but I'm scared to log in there now, in case "they" are watching me and stealing my precious bodily fluids.
 

Floyd R Turbo

Well-known member
#13
Agreed. The first thing I thought was that the add-on was hacked, meaning, all of my forum users info was hacked. Thankfully this was not the case, it turned out only to be users of the Tapatalk XF support forum, and then, only users who had manually logged in since the 12/10. Unfortunately, I was one of those as I needed to do so after a username change - and I might note, after I did this, the app on my iOS acted very strangely, I changed my username and it kept wanting to change it back, kept logging me in to my account then erroring out and saying that I had to log in again (in which case it had switche dme back to my old login username)...wondering if that is related at all.
 

MattW

Well-known member
#14
Unfortunately, we are going to have to take their word on what was accessed and stolen.

They have said data was being streamed back to a server in Sweden. This being the case, they could have been streaming anything back to it they wanted.

The forum being breached is the best case admittance given what their app does.

After seeing how they have operated over the years, and how the keep introducing more and more bugs into their own app, this is the final straw for me. I reinstalled it for the few members who wanted it. It's gone for good now.
 

Snog

Well-known member
#17
I'd like to thank TapaTalk for exposing an email address that has never had a single spam email in it's history. I'll just bet that changes now. :mad:
 

WoodiE

Well-known member
#20
It would seem that this wordpress exploit apparently allowed them to overwrite/replace XF code that shipped usernames and unencrypted passwords at logon time to an external server.
Which begs the question, why would the hacker(s) stop at just the support forum? How do we know they haven't modified other code or other exploits and have gathered personal forum admin information such as name, address, business tax id / SSN for those admins that have monetization enabled via tapatalk?

This entire process has been a cluster fluff from the start. An email telling users to reset their password with the links pointing to the Tapatalk Admin CP, then stating the Admin CP wasn't hacked but only the support forums. Stating old passwords have been de-activated when in fact old passwords still worked fine. Blaming a XF addon then reporting it wasn't XF but instead Wordpress or some addon for WP.

For me, I get the feeling they have no idea what has or hasn't been compromised nor how said hacker did their deed.