Tapatalk is bypassing 2FA in Xenforo 1.5

Floyd R Turbo

Adherent
Joined
Jul 8, 2014
Messages
425
https://support.tapatalk.com/thread...ses-2-factor-authentication-in-xenforo.31618/

Here's what I did:

Via PC, enabled 2FA and verified

Via iPhone / Safari, logged out and logged back in. It asked for 2FA and I verified this. I left the "remember for 30 days" unchecked

I then went to TT on same device and logged out and logged back in. No 2FA question. But that does not imply it is bypassing since I had verified the device and was logged in via browser.

So I logged out via browser then tried to log back in again to verify it had not remember the device, which it had not. I did not log in.

I then went to TT and logged out and logged back in successfully without a 2FA question.

Next, I changed my password via PC. I then logged out and logged back in, and got the 2FA prompt. Did the same on iPhone/browser, got 2FA prompt. Logged out of TT and logged back in successfully with new password and no 2FA prompt and was able to post.

Second test: I have an old iPhone with Tapatalk installed, using a test account. The app was out of date so I updated it.

Then I logged in via PC to that account and changed the password and then enabled 2FA and verified it. I then went to old iPhone browser and tried to log in, got 2FA prompt.

I went to updated TT app and was able to go straight to the forum and post without TT asking me to log in again (because I had changed my password!!). I then logged out of TT, and logged back in (using new password), no 2FA prompt. Was able to post.

IMO Tapatalk is most definitely bypassing 2FA in Xenforo.
 

ozzy47

Tazmanian Veteran
Joined
Oct 18, 2013
Messages
9,007
TapaTalk bypasses a lot of things in all platforms.
 
  • Like
Reactions: ehd

vbresults

Enthusiast
Joined
Mar 21, 2013
Messages
196
https://support.tapatalk.com/thread...ses-2-factor-authentication-in-xenforo.31618/

Here's what I did:

Via PC, enabled 2FA and verified

Via iPhone / Safari, logged out and logged back in. It asked for 2FA and I verified this. I left the "remember for 30 days" unchecked

I then went to TT on same device and logged out and logged back in. No 2FA question. But that does not imply it is bypassing since I had verified the device and was logged in via browser.

So I logged out via browser then tried to log back in again to verify it had not remember the device, which it had not. I did not log in.

I then went to TT and logged out and logged back in successfully without a 2FA question.

Next, I changed my password via PC. I then logged out and logged back in, and got the 2FA prompt. Did the same on iPhone/browser, got 2FA prompt. Logged out of TT and logged back in successfully with new password and no 2FA prompt and was able to post.

Second test: I have an old iPhone with Tapatalk installed, using a test account. The app was out of date so I updated it.

Then I logged in via PC to that account and changed the password and then enabled 2FA and verified it. I then went to old iPhone browser and tried to log in, got 2FA prompt.

I went to updated TT app and was able to go straight to the forum and post without TT asking me to log in again (because I had changed my password!!). I then logged out of TT, and logged back in (using new password), no 2FA prompt. Was able to post.

IMO Tapatalk is most definitely bypassing 2FA in Xenforo.
Tapatalk has a direct line into the database, essentially. It's for this reason that it's so insecure.
 

ozzy47

Tazmanian Veteran
Joined
Oct 18, 2013
Messages
9,007
Yeah, it is something I do not use on any of my sites, nor on my phone, it's just to insecure.
 

doubt

Tazmanian
Joined
Feb 25, 2013
Messages
4,864
Yeah, it is something I do not use on any of my sites,
I used to use it with VB but when transferred to XF that was the end of it.
Some of the members didn't like its dropping.
 

ozzy47

Tazmanian Veteran
Joined
Oct 18, 2013
Messages
9,007
Yeah some people live by it, but the security of my site, and my members information is more important to me than loosing a few people that hang on to using it.
 

Karll

Adherent
Joined
Dec 9, 2011
Messages
420
Well, I still use it. I'm not using 2FA anyway. It seems overly inconvenient.

The thing is, TT performs incredibly well on old / slow mobile devices compared to the The Opera Mini browser goes some way to replace it.

I do hope to phase it out, though, unless they seriously get their act together.

I've not upgraded to the most recent TT add-on version, though, which introduced some new "features" I didn't quite approve of.
 

Rudy

Enthusiast
Joined
Oct 18, 2004
Messages
208
I used to use it with VB but when transferred to XF that was the end of it.
Some of the members didn't like its dropping.
Same here, but we took the "tough love" route, and now, nobody misses it except a few stray members. To help my staff, I keep a running list of all of the issues with it, so they can use this when a pushy member tries to circle the wagons and convince us to install it. :D
 

vbresults

Enthusiast
Joined
Mar 21, 2013
Messages
196
Mirroring what I posted earlier on xf.com, I was basing a lot of what I said on the vB TT code I looked at when dealing with multiple clients. I got a look at the XenForo code and it actually doesn't look half bad... there are other issues but that is a start.
 

HWS

TAZ Member
Joined
Aug 21, 2012
Messages
204
TT bypasses anything out of the default common forum features.
If you use TT you should be aware of this.
 

Woffie

Enthusiast
Joined
Dec 30, 2008
Messages
107
I used to use Tapatalk when I was on IPS, but Xenforo looks good on mobile devices without using apps
 
Top