TapaTalk hacked

WoodiE55

Enthusiast
Joined
Feb 6, 2004
Messages
189
TapaTalk doesn't seem to have all their ducks in a row. The email sent out stated the accounts have been compromised and tells you the old password has been deactivated and gives you a link to reset your password. The link used to reset your password is to reset your TapaTalk ADMIN panel password - NOT forum but then they post this in their support forum.

"The logins to support.tapatalk.com and every other tapatalk system are NOT related unless you used the same email address and password.

Affected
- support.tapatalk.com

Unaffected
- www.tapatalk.com
- Admin control panels.
- Tapatalk plugins
- Tapatalk mobile apps" - https://support.tapatalk.com/threads/passwords-stolen.27443/page-2#post-145163

I have a feeling they don't have much of an idea what really is or isn't effected.
 

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,368
Well it was a legitimate email, just with the wrong link. Also they were using a script to track clicks like it was a marketing email. It's pretty clear what happened when you look at it.

An unfortunate combination of mistakes made everyone further confused and paranoid.
It's still not clear to me and I'll keep leaning towards paranoid until I've been convinced otherwise. It could very well be legit or it could be that an admin account has been compromised and the email is a scam to get everyone to change their passwords during at which point they will be intercepted.
 

echo_off

Life is an illusion...
Joined
Mar 24, 2011
Messages
1,274
Cleartext passwords? To be frank, anybody who stores passwords in cleartext is plain stupid. No matter how little time they are stored for. Everybody knows most people use the same password for most of the websites they visit. I have several passwords, I have one that I use for signing up to random small sites that I will probably only visit once, and several others for the common websites I use.

Either way, this is not good.
 

BirdOPrey5

#Awesome
Joined
Aug 14, 2008
Messages
4,213
Cleartext passwords? To be frank, anybody who stores passwords in cleartext is plain stupid. No matter how little time they are stored for. Everybody knows most people use the same password for most of the websites they visit. I have several passwords, I have one that I use for signing up to random small sites that I will probably only visit once, and several others for the common websites I use.

Either way, this is not good.
They don't store passwords in clear text.

What happened was the hackers installed an add-on the intercepts the clear text password you enter into your browser and forwarded them to some server in Sweden, That is why only people who logged in since December 10th had their clear text passwords revealed. All software is vulnerable to this kind of hack.
 

Shawn Gossman

Tazmanian Master
Joined
Dec 16, 2005
Messages
8,033
I know Tapatalk has had its issues and all but would you all be quick to judge other software platforms that have security breach events? Or is it just the track record of this particular one?
 

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,368
would you all be quick to judge other software platforms that have security breach events?
Doesn't that depend on the nature of the breach and how it's been handled? In this case a number of users, myself included, have yet to be convinced that the email we received is legitimate. It probably is but then again it mirrors attacks on other systems where the hacker has used the very same procedure to intercept a user being told to change their password because of a breach.

Sending out advisory notices with dubious links and then channelling all their supposedly official information though what appears to be a very dubious and uninformed admin account rings alarm bells in my head and I'd rather be safe than sorry :)
 

Rasty

Fan
Joined
Feb 16, 2014
Messages
803
I know Tapatalk has had its issues and all but would you all be quick to judge other software platforms that have security breach events? Or is it just the track record of this particular one?
Tapatalk has a poor track record. They will update software and it will change the privacy privileges. They won't respond to most concerns on their website. At first I thought it was just poor customer service but now realize it's the entire company that isn't competent. The new manager promised better response times which hasn't happened.

At this point keeping tapatalk is risking the security of your website because there is no telling what stupid move they will do next.
 

echo_off

Life is an illusion...
Joined
Mar 24, 2011
Messages
1,274
They don't store passwords in clear text.

What happened was the hackers installed an add-on the intercepts the clear text password you enter into your browser and forwarded them to some server in Sweden, That is why only people who logged in since December 10th had their clear text passwords revealed. All software is vulnerable to this kind of hack.
Ah, I see now. Makes sense. Although, I never said, nor implied, that any software is NOT vulnerable to this kind of attack. I didn't read all of it, I just saw "some passwords stored in plaintext" and went ballistic at my keyboard and typed my previous post. :)
 

BirdOPrey5

#Awesome
Joined
Aug 14, 2008
Messages
4,213
Although, I never said, nor implied, that any software is NOT vulnerable to this kind of attack.
That wasn't meant for you, that was to head off the small group of users who follow me around who think if I say something anti-XF I am also saying that it is a flaw VB does not have. The point was to simply state the same could happen to any forum software, or indeed, any software that accepted a username/password via a browser window.
 

echo_off

Life is an illusion...
Joined
Mar 24, 2011
Messages
1,274
That wasn't meant for you, that was to head off the small group of users who follow me around who think if I say something anti-XF I am also saying that it is a flaw VB does not have. The point was to simply state the same could happen to any forum software, or indeed, any software that accepted a username/password via a browser window.
You have internet stalkers? Wow. That's funny.

* looks to the top-left and ponders the concept of stalking laws covering internet cases *

Anyway, the intention was not to sound quite as abrupt as I might have done. I suppose any software that allows the upload and installation of plugins via the ACP is vulnerable. Personally, I'd disable the uploading of plugins AND themes via the ACP to prevent these kinds of cases. The only other way would be through FTP, which would have a strong (and different from admin account) password anyway.
 

BirdOPrey5

#Awesome
Joined
Aug 14, 2008
Messages
4,213
It really isn't limited to software that allows plugins via the ACP. The wordpress exploit that started this likely allowed a shell to be installed. WIth that they get disk access and can edit the original files, so whether plugins are allowed or not they can hijack the login process and do whatever they want.
 

echo_off

Life is an illusion...
Joined
Mar 24, 2011
Messages
1,274
It really isn't limited to software that allows plugins via the ACP. The wordpress exploit that started this likely allowed a shell to be installed. WIth that they get disk access and can edit the original files, so whether plugins are allowed or not they can hijack the login process and do whatever they want.
Yeah, that is true. I've seen people upload a dodge JPEG with a PHP-based shell at the end of the file to a site that does no real format checking on image uploads, then found a way of including that file into a PHP script.
 

Azareal

The AtomBB Overlord
Joined
Mar 7, 2010
Messages
1,141
I know Tapatalk has had its issues and all but would you all be quick to judge other software platforms that have security breach events? Or is it just the track record of this particular one?
It also boils down to the fact that Tapatalk simply isn't as relevant in the modern age.
With things like responsive designs coming along, people are likely to become much less willing to tolerate Tapatalk's problems.
 

Shawn Gossman

Tazmanian Master
Joined
Dec 16, 2005
Messages
8,033
I'm going through the process now and seeing if my users actually need it on the forums. If everyone can be happy with the mobile themes, I'll be disabling it.
 

Rasty

Fan
Joined
Feb 16, 2014
Messages
803
I'm going through the process now and seeing if my users actually need it on the forums. If everyone can be happy with the mobile themes, I'll be disabling it.
Look at your statistics on tapatalk. It will tell you how many users are using tapatalk and how many posts.
 

BirdOPrey5

#Awesome
Joined
Aug 14, 2008
Messages
4,213
Look at your statistics on tapatalk. It will tell you how many users are using tapatalk and how many posts.
I often feel those statistics must include some sort of bots. I feel they are much higher than they really are each time I see them- then I think- what better way to make Admins choose to stay.
 

Rasty

Fan
Joined
Feb 16, 2014
Messages
803
The ability to attach images is tapatalk's main advantage over mobile styles.
Not for WBB which loads pictures perfectly. Tapatalk ruins pictures with their watermark which isn't controllable by users.
 

Shawn Gossman

Tazmanian Master
Joined
Dec 16, 2005
Messages
8,033
Look at your statistics on tapatalk. It will tell you how many users are using tapatalk and how many posts.
From what I can tell based on what I've analyzed thus far, Tapatalk users rarely post, it just shows them searching and they never really respond to PMs where I try to entice them to post. So I have a feeling that it will soon be disabled unless they all start freaking out lol.

The ability to attach images is tapatalk's main advantage over mobile styles.
Yeah that does suck a bit especially in an age where most photos are taken with a phone.
 
Top