Security Concern - TapaTalk

  • If you're site is using TapaTalk, update now! There was a security flaw found in TapaTalk and they decided NOT to inform anyone or advise anyone to update their files.


    I did not find out until today, when I just happen to scroll over and found a post about it.


    They even publicly admit to patching it silently, but NOT issuing a release or any notice telling people they should replace their files (because they did not even bother changing the version number either). =O


    So I can only imagine how many sites are using the other copy without knowing they have a problem. This is completely irresponsible. :cursing:


    Quote from TapaTalk

    Hi,


    This issue has been addressed in April 26th, 9 days before this site published the issue. However, since this is a low risk item - we have simply replaced all the plugins that are affected. If this is concerning you and If you have updated the plugin after April 26th, you are not affected.


    Source: https://support.tapatalk.com/t…bility.24719/#post-131407


    attached screenshot to confirm

  • Yeah, and that is not the only thing that went badly wrong with Tapatalk in the last few months.


    Tapatalk has a lot of issues. There is 25 page german thread that deals with the various issues of Tapatalk:
    Tapatalk


    Maybe you can read it with google translator.

    "A life is like a garden. Perfect moments can be had, but not preserved, except in memory. LLAP" — Leonard Nimoy

  • Yeah, and that is not the only thing that went badly wrong with Tapatalk in Funyo the last few months.


    Tapatalk has a lot of issues. There is 25 page german thread that deals with the various issues of Tapatalk: Funyo
    Tapatalk


    Maybe you can read it with google translator.


    +1 yes yes.

    Edited 2 times, last by husrev ().

  • FYI: They just fixed it.


    If you believe, TapaTalk, they fixed this issue on April 26. But then you have to take into account that they kept silent about informing people that they needed that patch for a whole month... Leaving anyone who installed before that time, still exposed to the security flaw.


    What is worst is they admit to do so and was OK with that.... It was only until I posted this announcement on EVERY development they claim to support, that they finally go around to sending out an email.


    The whole thing is just shady and unethical in my opinion

  • This isn't fixed. I just deleted the tapatalk plugin because the private sections of my site were visible to anyone by going to the user profile and looking at started threads.


    I installed a updated copy on June 13th so I'm not using a obsolete version.

  • @Rasty yes but they can not read them, I hope you have also posted it out on TapaTalk forum.

    Norwegian language files to (WSC 5.2 + 5.3 and The New WSC 5.4 + 5.5 ) *no.xml* Unofficial Language Packs

  • I did and won't hold my breath waiting on them to respond. They are maybe 50/50 on responding at all.


    Hi Rasty,


    I think our support staff has responded to it and asking for more information about the specific WBB issue you have. Are you able to either elaborate here or send me a private message and we will make sure to response to you?


    We want to apologize the lack of response on the WBB side - our WBB developer has just left the team due to personal issue and we are trying to staff up the engineers to continue the WBB support. WBB is important to us.

  • If you believe, TapaTalk, they fixed this issue on April 26. But then you have to take into account that they kept silent about informing people that they needed that patch for a whole month... Leaving anyone who installed before that time, still exposed to the security flaw.


    What is worst is they admit to do so and was OK with that.... It was only until I posted this announcement on EVERY development they claim to support, that they finally go around to sending out an email.


    The whole thing is just shady and unethical in my opinion


    Adam - we are sorry for this confusion and we have no intention to hide anything, if it would we wouldn't response to the first post at the first place. The reason being the engineering team classified this risk as a very very low risk as per each forums has IP check for cookies so we didn't see it as a immediate announcement to all forum owners. It appears that our engineers did not response to this issue well and is a lesson learned from us going forward.


    Since then we have improved the process of security handling and announcement will be certainly be more communicative of the issues going forward. :)

  • Hi Rasty,


    I think our support staff has responded to it and asking for more information about the specific WBB issue you have. Are you able to either elaborate here or send me a private message and we will make sure to response to you?


    We want to apologize the lack of response on the WBB side - our WBB developer has just left the team due to personal issue and we are trying to staff up the engineers to continue the WBB support. WBB is important to us.


    The largest gaping problem is that the user groups are meaningless in the wbb version of Tapatalk which left the moderator (private) section open to anyone being able to read the posts by going to my profile and looking at the threads I started. I doubt I'm coming back as a customer because I can't monitor the app every day to see what mistake is being made by tapatalk today. Maybe your next accidental beta release will really leave something wide open.


    Sorry but it's become complete amateur hour at Tapatalk. I've got at least 3 threads for help on the Tapatalk support forum from my previous Kunena site that are three months old without a response.

  • The largest gaping problem is that the user groups are meaningless in the wbb version of Tapatalk which left the moderator (private) section open to anyone being able to read the posts by going to my profile and looking at the threads I started. I doubt I'm coming back as a customer because I can't monitor the app every day to see what mistake is being made by tapatalk today. Maybe your next accidental beta release will really leave something wide open.


    Sorry but it's become complete amateur hour at Tapatalk. I've got at least 3 threads for help on the Tapatalk support forum from my previous Kunena site that are three months old without a response.


    @Rasty I did not know this about TapaTalk running on Woltlab Burning Board (WBB). Was this what happen on the final version or just the beta? Because if it's only the beta, than it's a beta for a reason (guaranteed to not be stable and have bugs). But if this happen on the final release, that is disturbing

  • @Rasty I did not know this about TapaTalk running on Woltlab Burning Board (WBB). Was this what happen on the final version or just the beta? Because if it's only the beta, than it's a beta for a reason (guaranteed to not be stable and have bugs). But if this happen on the final release, that is disturbing


    It was the final release. I installed a updated version today which fixed the privacy problem. Hopefully the new customer service guys understand the importance of communication. They announced that there was a privacy concern today at my request.


  • It was the final release. I installed a updated version today which fixed the privacy problem. Hopefully the new customer service guys understand the importance of communication. They announced that there was a privacy concern today at my request.

    Thank you @Rasty for that bit of information (learned something new today). :)


    I don't exactly like TapaTalk. I use them simply because the next generation seems to be completely app dependent. You can tell them that their mobile browser is an app all you want, but people still want something more dedicated for X use (in this case forum / community use).


    Although I have it. I don't exactly advertize it.


    I go so far as to disable the tapatalk welcome screen, but then discovered that technically, they have another welcome screen. Although they call it a "welcome banner", I still call it a welcome screen because it does "fade out" your website (whole screen) so that you'll notice the header banner; which suggest you use TapaTalk.


    There is no option to disable this so I found the code to do so.
    First you want to be sure you have the welcome screen option disabled
    un-check the box that reads, Mobile Welcome Screen, then save


    Now to finally get rid of that drop down header that your members are first greeted with.


    mobiquo / smartbanner / head.inc.php


    Look for


    And either remove it or comment it out.


    If you comment it out, it will look something like this



    Now if you would rather someone else did the work for you, you can simply download the attached file and upload it.


    You're welcome :D

    Edited once, last by Aslan ().

  • MESSAGE FROM TAPATALK TEAM

    update to 1.04
    !


    This is a security bulletin for all admins running Tapatalk on a WBB forum as it concerns a moderator privacy issue.


    Due to the vigilance of the Admin of appalachiantrailcafe.net
    , he was able to help bring to our attention a flaw in the WBB version
    of the Tapatalk plug-in. The flaw affects the visibility of a
    moderator's (private) sub-forum activity to other members of the forum.


    A forum member if so inclined, can view thread titles started by a
    moderator in a private sub-forum by navigating through a moderator's
    profile. This issue does not expose any other private info of your users
    or staff, only content (thread titles and thread previews) inside
    private sub-forums. Users cannot enter private forums via this method.


    We have completed an updated plug-in addressing this issue for all WBB
    based forums running Tapatalk and we highly encourage everyone running
    Tapatalk on a WBB based forum to apply to upgrade at their earliest
    convenience.


    Download the updated plug-in in the link below, standard update instructions apply:


    https://tapatalk.com/activate_tapatalk.php?plugin=wbb


    Thank You and we apologize for any inconvenience this may have caused,


    The Tapatalk Team


    i have attached the file

  • remove the previous version of tapatalk and install the fresh one :)


    if another security issues arises, i will remove it for good.

  • @Adam Howard


    Putting $app_banner_head = ''; after the code, that you've commented out, should be easier ;) However, i could also implement an option for admins to turn it off.


    I'd love it if there was an option to turn it off. TapaTalk seems to have ignored that feature request

  • there is ootion to turn it off
    once you hit X, it does not show up again


    That is a per user setting (based on cookies). So if I visited your site for the 1st time, I would be greeted with that banner. The idea is to not have the banner, ever (completely disable it for all users). ;)

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!