Security Concern - TapaTalk

Aslan · May 23, 2014 at 8:51 PM

If you're site is using TapaTalk, update now! There was a security flaw found in TapaTalk and they decided NOT to inform anyone or advise anyone to update their files.

I did not find out until today, when I just happen to scroll over and found a post about it.

They even publicly admit to patching it silently, but NOT issuing a release or any notice telling people they should replace their files (because they did not even bother changing the version number either).

So I can only imagine how many sites are using the other copy without knowing they have a problem. This is completely irresponsible.

Quote from TapaTalk

Hi,

This issue has been addressed in April 26th, 9 days before this site published the issue. However, since this is a low risk item - we have simply replaced all the plugins that are affected. If this is concerning you and If you have updated the plugin after April 26th, you are not affected.

Source: https://support.tapatalk.com/threads/tapata…19/#post-131407

attached screenshot to confirm

Netzwerg · May 23, 2014 at 8:59 PM

Yeah, and that is not the only thing that went badly wrong with Tapatalk in the last few months.

Tapatalk has a lot of issues. There is 25 page german thread that deals with the various issues of Tapatalk:
Tapatalk

Maybe you can read it with google translator.

husrev · May 28, 2014 at 4:19 AM

Yeah, and that is not the only thing that went badly wrong with Tapatalk in Funyo the last few months.

Tapatalk has a lot of issues. There is 25 page german thread that deals with the various issues of Tapatalk: Funyo
Tapatalk

Maybe you can read it with google translator.

+1 yes yes.

SoftCreatR · May 28, 2014 at 4:30 AM

FYI: They just fixed it.

Aslan · May 30, 2014 at 7:16 AM

Quote from SoftCreatR

FYI: They just fixed it.

If you believe, TapaTalk, they fixed this issue on April 26. But then you have to take into account that they kept silent about informing people that they needed that patch for a whole month... Leaving anyone who installed before that time, still exposed to the security flaw.

What is worst is they admit to do so and was OK with that.... It was only until I posted this announcement on EVERY development they claim to support, that they finally go around to sending out an email.

The whole thing is just shady and unethical in my opinion

Rasty · June 23, 2014 at 12:39 PM

This isn't fixed. I just deleted the tapatalk plugin because the private sections of my site were visible to anyone by going to the user profile and looking at started threads.

I installed a updated copy on June 13th so I'm not using a obsolete version.

tunhj1 · June 24, 2014 at 4:54 AM

@Rasty yes but they can not read them, I hope you have also posted it out on TapaTalk forum.

Rasty · June 24, 2014 at 5:44 AM

Quote from tunhj1

@Rasty yes but they can not read them, I hope you have also posted it out on TapaTalk forum.

I did and won't hold my breath waiting on them to respond. They are maybe 50/50 on responding at all.

tapatalk_winter · June 26, 2014 at 8:10 PM

Quote from Rasty

I did and won't hold my breath waiting on them to respond. They are maybe 50/50 on responding at all.

Hi Rasty,

I think our support staff has responded to it and asking for more information about the specific WBB issue you have. Are you able to either elaborate here or send me a private message and we will make sure to response to you?

We want to apologize the lack of response on the WBB side - our WBB developer has just left the team due to personal issue and we are trying to staff up the engineers to continue the WBB support. WBB is important to us.

tapatalk_winter · June 26, 2014 at 8:14 PM

Quote from Adam Howard

If you believe, TapaTalk, they fixed this issue on April 26. But then you have to take into account that they kept silent about informing people that they needed that patch for a whole month... Leaving anyone who installed before that time, still exposed to the security flaw.

What is worst is they admit to do so and was OK with that.... It was only until I posted this announcement on EVERY development they claim to support, that they finally go around to sending out an email.

The whole thing is just shady and unethical in my opinion

Adam - we are sorry for this confusion and we have no intention to hide anything, if it would we wouldn't response to the first post at the first place. The reason being the engineering team classified this risk as a very very low risk as per each forums has IP check for cookies so we didn't see it as a immediate announcement to all forum owners. It appears that our engineers did not response to this issue well and is a lesson learned from us going forward.

Since then we have improved the process of security handling and announcement will be certainly be more communicative of the issues going forward.

Rasty · June 26, 2014 at 10:19 PM

Quote from tapatalk_winter

Hi Rasty,

I think our support staff has responded to it and asking for more information about the specific WBB issue you have. Are you able to either elaborate here or send me a private message and we will make sure to response to you?

We want to apologize the lack of response on the WBB side - our WBB developer has just left the team due to personal issue and we are trying to staff up the engineers to continue the WBB support. WBB is important to us.

The largest gaping problem is that the user groups are meaningless in the wbb version of Tapatalk which left the moderator (private) section open to anyone being able to read the posts by going to my profile and looking at the threads I started. I doubt I'm coming back as a customer because I can't monitor the app every day to see what mistake is being made by tapatalk today. Maybe your next accidental beta release will really leave something wide open.

Sorry but it's become complete amateur hour at Tapatalk. I've got at least 3 threads for help on the Tapatalk support forum from my previous Kunena site that are three months old without a response.

Aslan · June 27, 2014 at 6:53 PM

Quote from Rasty

The largest gaping problem is that the user groups are meaningless in the wbb version of Tapatalk which left the moderator (private) section open to anyone being able to read the posts by going to my profile and looking at the threads I started. I doubt I'm coming back as a customer because I can't monitor the app every day to see what mistake is being made by tapatalk today. Maybe your next accidental beta release will really leave something wide open.

Sorry but it's become complete amateur hour at Tapatalk. I've got at least 3 threads for help on the Tapatalk support forum from my previous Kunena site that are three months old without a response.

@Rasty I did not know this about TapaTalk running on Woltlab Burning Board (WBB). Was this what happen on the final version or just the beta? Because if it's only the beta, than it's a beta for a reason (guaranteed to not be stable and have bugs). But if this happen on the final release, that is disturbing

Rasty · June 27, 2014 at 11:40 PM

Quote from Adam Howard

@Rasty I did not know this about TapaTalk running on Woltlab Burning Board (WBB). Was this what happen on the final version or just the beta? Because if it's only the beta, than it's a beta for a reason (guaranteed to not be stable and have bugs). But if this happen on the final release, that is disturbing

It was the final release. I installed a updated version today which fixed the privacy problem. Hopefully the new customer service guys understand the importance of communication. They announced that there was a privacy concern today at my request.

Aslan · June 28, 2014 at 2:57 PM

Quote from Rasty

It was the final release. I installed a updated version today which fixed the privacy problem. Hopefully the new customer service guys understand the importance of communication. They announced that there was a privacy concern today at my request.

Thank you @Rasty for that bit of information (learned something new today).

I don't exactly like TapaTalk. I use them simply because the next generation seems to be completely app dependent. You can tell them that their mobile browser is an app all you want, but people still want something more dedicated for X use (in this case forum / community use).

Although I have it. I don't exactly advertize it.

I go so far as to disable the tapatalk welcome screen, but then discovered that technically, they have another welcome screen. Although they call it a "welcome banner", I still call it a welcome screen because it does "fade out" your website (whole screen) so that you'll notice the header banner; which suggest you use TapaTalk.

There is no option to disable this so I found the code to do so.
First you want to be sure you have the welcome screen option disabled
un-check the box that reads, Mobile Welcome Screen, then save

Now to finally get rid of that drop down header that your members are first greeted with.

mobiquo / smartbanner / head.inc.php

Look for

Code

// display smart banner and welcome page
$app_banner_head = '';
if (file_exists($tapatalk_dir . '/smartbanner/welcome.php') && file_exists($tapatalk_dir . '/smartbanner/appbanner.js'))
{
    $GLOBALS['app_head_included'] = true;
    $app_banner_head = '
        <!-- Tapatalk Banner&Welcome head start -->
        <link href="'.$tapatalk_dir_url.'/smartbanner/appbanner.css" rel="stylesheet" type="text/css" media="screen" />
        <script type="text/javascript">
            var is_mobile_skin     = '.$is_mobile_skin.';
            var app_ios_id         = "'.$app_ios_id.'";
            var app_android_id     = "'.addslashes($app_android_id).'";
            var app_kindle_url     = "'.addslashes(urlencode($app_kindle_url)).'";
            var app_banner_message = "'.addslashes($app_banner_message).'";
            var app_forum_name     = "'.addslashes($app_forum_name).'";
            var app_location_url   = "'.addslashes($app_location_url).'";
            var app_board_url      = "'.addslashes(urlencode($board_url)).'";
            var functionCallAfterWindowLoad = '.$functionCallAfterWindowLoad.';

            var app_forum_code = "'.(trim($api_key) ? md5(trim($api_key)) : '').'";
            var app_referer = "'.addslashes(urlencode($app_referer)).'";
            var app_welcome_url = "'.addslashes($tapatalk_dir_url.'/smartbanner/welcome.php').'";
            var app_welcome_enable = '.($app_ads_enable ? 1 : 0).';
        </script>
        <script src="'.$tapatalk_dir_url.'/smartbanner/appbanner.js" type="text/javascript"></script>
        <!-- Tapatalk Banner head end-->
    ';
}

Display More

And either remove it or comment it out.

If you comment it out, it will look something like this

Code

// display smart banner and welcome page
// $app_banner_head = '';
// if (file_exists($tapatalk_dir . '/smartbanner/welcome.php') && file_exists($tapatalk_dir . '/smartbanner/appbanner.js'))
// {
//    $GLOBALS['app_head_included'] = true;
//
//    $app_banner_head = '
//        <!-- Tapatalk Banner&Welcome head start -->
//        <link href="'.$tapatalk_dir_url.'/smartbanner/appbanner.css" rel="stylesheet" type="text/css" media="screen" />
//        <script type="text/javascript">
//            var is_mobile_skin     = '.$is_mobile_skin.';
//            var app_ios_id         = "'.$app_ios_id.'";
//            var app_android_id     = "'.addslashes($app_android_id).'";
//            var app_kindle_url     = "'.addslashes(urlencode($app_kindle_url)).'";
//            var app_banner_message = "'.addslashes($app_banner_message).'";
//            var app_forum_name     = "'.addslashes($app_forum_name).'";
//            var app_location_url   = "'.addslashes($app_location_url).'";
//            var app_board_url      = "'.addslashes(urlencode($board_url)).'";
//            var functionCallAfterWindowLoad = '.$functionCallAfterWindowLoad.';
//     
//            var app_forum_code = "'.(trim($api_key) ? md5(trim($api_key)) : '').'";
//           var app_referer = "'.addslashes(urlencode($app_referer)).'";
//            var app_welcome_url = "'.addslashes($tapatalk_dir_url.'/smartbanner/welcome.php').'";
//            var app_welcome_enable = '.($app_ads_enable ? 1 : 0).';
//        </script>
//        <script src="'.$tapatalk_dir_url.'/smartbanner/appbanner.js" type="text/javascript"></script>
//        <!-- Tapatalk Banner head end-->
//    ';
// }

Display More

Now if you would rather someone else did the work for you, you can simply download the attached file and upload it.

You're welcome

hispasat · June 28, 2014 at 4:28 PM

MESSAGE FROM TAPATALK TEAM

update to 1.04!

This is a security bulletin for all admins running Tapatalk on a WBB forum as it concerns a moderator privacy issue.

Due to the vigilance of the Admin of appalachiantrailcafe.net
, he was able to help bring to our attention a flaw in the WBB version
of the Tapatalk plug-in. The flaw affects the visibility of a
moderator's (private) sub-forum activity to other members of the forum.

A forum member if so inclined, can view thread titles started by a
moderator in a private sub-forum by navigating through a moderator's
profile. This issue does not expose any other private info of your users
or staff, only content (thread titles and thread previews) inside
private sub-forums. Users cannot enter private forums via this method.

We have completed an updated plug-in addressing this issue for all WBB
based forums running Tapatalk and we highly encourage everyone running
Tapatalk on a WBB based forum to apply to upgrade at their earliest
convenience.

Download the updated plug-in in the link below, standard update instructions apply:

https://tapatalk.com/activate_tapatalk.php?plugin=wbb

Thank You and we apologize for any inconvenience this may have caused,

The Tapatalk Team

i have attached the file

hispasat · June 28, 2014 at 4:36 PM

remove the previous version of tapatalk and install the fresh one

if another security issues arises, i will remove it for good.

SoftCreatR · June 28, 2014 at 4:42 PM

@Adam Howard

Putting $app_banner_head = ''; after the code, that you've commented out, should be easier However, i could also implement an option for admins to turn it off.

Aslan · June 28, 2014 at 4:46 PM

Quote from SoftCreatR

@Adam Howard

Putting $app_banner_head = ''; after the code, that you've commented out, should be easier However, i could also implement an option for admins to turn it off.

I'd love it if there was an option to turn it off. TapaTalk seems to have ignored that feature request

hispasat · June 28, 2014 at 4:58 PM

there is ootion to turn it off
once you hit X, it does not show up again

Aslan · June 28, 2014 at 5:19 PM

Quote from hispasat

there is ootion to turn it off
once you hit X, it does not show up again

That is a per user setting (based on cookies). So if I visited your site for the 1st time, I would be greeted with that banner. The idea is to not have the banner, ever (completely disable it for all users).

Security Concern - TapaTalk

Participate now!

Tags