1. Are you ready for the Galaxy S20? Here is everything we know so far!

Tapatalk sends unencrypted passwords over the web.

Discussion in 'Suggestion Box & Feedback' started by autonomous1, Aug 18, 2015.

  1. autonomous1

    autonomous1 Newbie
    Thread Starter

    Edit by Phases: Please see this response.

    Since Tapatalk sends unencrypted passwords over the web it would be a good idea to maintain a valid security certificate and arrange to have Tapatalk users access the site via https. The Tapatalk password is encoded as base64, which can be easily decoded to cleartext. This issue was brought up to Tapatalk support over a year ago, and even though they acknowledged it and said it would be fixed soon, the security issue still exists. I captured a sample login message sent by the latest version of Tapatalk and decoded my username/password being sent over the web in base64 cleartext.

    Here is the issue brought up to Tapatalk over a year ago:



    https://support.tapatalk.com/thread...sword-when-transmitting-across-network.23244/

    NET::ERR_CERT_AUTHORITY_INVALID

    Subject: androidforums.neverstill.com
    Issuer: androidforums.neverstill.com
    Expires on: Apr 15, 2016
    Current date: Aug 18, 2015
    PEM encoded chain: -----BEGIN CERTIFICATE-----
    MIIDfzCCAmegAwIBAgIFAkTLF2wwDQYJKoZIhvcNAQELBQAwWDElMCMGA1UEAwwc
    YW5kcm9pZGZvcnVtcy5uZXZlcnN0aWxsLmNvbTEvMC0GCSqGSIb3DQEJARYgc3Ns
    QGFuZHJvaWRmb3J1bXMubmV2ZXJzdGlsbC5jb20wHhcNMTUwNDE2MDk1MzEzWhcN
    MTYwNDE1MDk1MzEzWjBYMSUwIwYDVQQDDBxhbmRyb2lkZm9ydW1zLm5ldmVyc3Rp
    bGwuY29tMS8wLQYJKoZIhvcNAQkBFiBzc2xAYW5kcm9pZGZvcnVtcy5uZXZlcnN0
    aWxsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALrSsn/YQ8lK
    X62HZBlRPS5XotHs1qZLEhukHGs/uLp+QoY+Pd5x2iJ1HmYIw8c4DYnmXhm+2t2p
    3qkGWd2/E79Qv9ffaKkWQt4kzuKnIBweHLk+jOofZ93oToBO2zbmmsyPGDRVs9vf
    WD3MrYoglgUMYN93oELLxf7FHlJklE1nd1WH37wr7eb7DEEJu8DTcCgDOrejdquS
    EjcHYbI4XMTMf3rz5DLzNqTGEDYi+aRuwEjtrJ5FZ2CqSIDjOtx8TY/h86+5DQRK
    cNPer/Fg+2EngVTLbn1iFXkLbfHKlK2WUxTAxHqjrGoI6T43d3hoaxokCWef7L3O
    GBWOxFtwlRECAwEAAaNQME4wHQYDVR0OBBYEFKKUGS5mwyggR0tc5tL4F8FVKkC9
    MB8GA1UdIwQYMBaAFKKUGS5mwyggR0tc5tL4F8FVKkC9MAwGA1UdEwQFMAMBAf8w
    DQYJKoZIhvcNAQELBQADggEBAJVNhFY7ssM3+NUBGhuu1LXyLQ+lByft4HZ5kNYQ
    0blo4s0MKI+2WFNVGhgq8T7799zm1bQL6xJR+clcCfnIBDYwTICMRQDjg10yr3dG
    upsqvq8yU5PMGHtpVVNpRuFJACQ5CzUB4jLCJOFDMTWcslGA5JChb1SR/ALXJu0T
    EPCHQnSqTAf+ZWaITtq0i9ng3sUD9dgKz2aPBysClmkkoceMQ0BbBpJvZveRTjOb
    rhjQW7qglyzKx6OvrrwMiFv2ay/XWQh+LrgeBgNTf39CLPuIBl/4yia07xhI4K9i
    EO+T+iX4/lp2X4RmDABbBWp6t+tKgwM4AJFiMrXKZQmTx98=
    -----END CERTIFICATE-----
     


    #1 autonomous1, Aug 18, 2015
    Last edited by a moderator: Aug 22, 2015

    1. Download the Forums for Android™ app!


      Download

       
  2. Unforgiven

    Unforgiven ...eschew obfuscation...
    Moderator

    Check the files it stores on your phone. It probably still stores your password in clear text on your phone. They fixed it for one update, then reverted back when I reported it a couple of years ago.
     
  3. AZgl1500

    AZgl1500 Extreme Android User

    I solved that problem, deleted TapaTalk.
     
  4. Phases

    Phases NO LONGER ADMIN

    So to be clear, while TT is hopefully no longer (Can someone verify?) storing plain text passwords on devices, it is sending them plain text (well, base64) over the web, for the world to intercept?

    (for non https sites that is)

    http://www.securiteam.com/securitynews/5QP3H0UENA.html
     
    #4 Phases, Aug 19, 2015
    Last edited: Aug 19, 2015
  5. psionandy

    psionandy Extreme Android User

    Ah,,,, so if someone starts posting rubbish from my account, along with incredibly unfunny jokes, arguments that don't make sense, and ill thought out attempts of humor... then you'll know my tapatalk account has been hacked....
     
  6. Unforgiven

    Unforgiven ...eschew obfuscation...
    Moderator

    I don't have it installed and my device isn't rooted for me to check. I'll look into it later if I have a chance, but I'm taking off for the weekend.
     
  7. autonomous1

    autonomous1 Newbie
    Thread Starter

    I recently verified Tapatalk is sending passwords in cleartext over the web with two methods:

    A) Capture of login requests sent from Tapatalk Android app. The test setup was Bluestacks, ProxyCap and Charles Proxy. In the captured xmlrpc login request message, the password is stored as base64 and was decoded with an online base64 decoder.

    B) Examination of Tapatalk server-side api code that handles login request processing. The Tapatalk server api generates a php password hash on the cleartext password before comparing to the hashed password stored in the user table.
     
  8. KOLIO

    KOLIO Guest

    Goodbye Tapatalk/Forums for Android app.
    Man,do I miss the OG PHANDROID APP ........
     
  9. Phases

    Phases NO LONGER ADMIN

    Sigh. Oh, Tapatalk...
     
    MLSS likes this.
  10. Phases

    Phases NO LONGER ADMIN

    I have done some testing and confirmed this with our branded AF app. Still working on official TT app. Auto, if you don't mind I'm going to PM you some details and questions.

    Appreciate it, as for everyone else - will update soon.
     
    MLSS, El Presidente and KOLIO like this.
  11. Phases

    Phases NO LONGER ADMIN

    Have confirmed it with the official TT app now as well. Will put something together and address it head on with TT and/or Rob to see what sort of fix we can get put in place. They should patch this, but if we must I do like the SSL for TT communications idea.
     
    KOLIO, psionandy and Lordvincent 90 like this.
  12. autonomous1

    autonomous1 Newbie
    Thread Starter

    I confirmed it in the TT server-side API code for Xenforo as well. The TT api invokes the Xenforo validateAuthentication function which accepts a cleartext password retrieved from the TT login request message.

    Here are the relevant sections of code:

    TT api installation: mobiquo/include/login.php:

    Code (Text):
    1. $userId = $userModel->validateAuthentication($data['login'], $data['password'], $error);
    The Xenforo validateAuthentication function takes a cleartext password and invokes authenticate, which generates a hash on the password and compares with the hashed password stored in user table:

    validateAuthentication invokes:

    Code (Text):
    1. authentication->authenticate($user['user_id'], $password))
    source code is here:
    https://github.com/mars236/Sando/bl...8797372d84e930/library/XenForo/Model/User.php

    Xenforo validate function:
    Code (Text):
    1.  
    2. public function authenticate($userId, $password)
    3. {
    4. if (!is_string($password) || $password === '' || empty($this->_data))
    5. {
    6. return false;
    7. }
    8. $userHash = $this->_createHash($this->_createHash($password) . $this->_data['salt']);
    9. return ($userHash === $this->_data['hash']);
    10. }
    11. }
    12.  
    source code is here:
    https://github.com/mars236/Sando/bl...8797372d84e930/library/XenForo/Model/User.php
     
    #12 autonomous1, Aug 20, 2015
    Last edited: Aug 20, 2015
    bcrichster likes this.
  13. Phases

    Phases NO LONGER ADMIN

    I have tested this myself two different ways two different types of networks with two different types of software to sniff the data. I have found this to be true with both TT client and our branded app.

    A report has been put together and sent to Rob with findings and suggested approaches to 'fix''.

    Will update.

    Thanks!
     
  14. Phases

    Phases NO LONGER ADMIN

    So this is your official response on that thread:

    Interesting read here too btw: https://theadminzone.com/threads/tapatalk-sends-unencrypted-passwords-over-the-web.135833/

    I have read all the responses. I have done further testing myself. I agree with your assessment:

    "The only solution to provide password security on your forum is to enable HTTPS"

    I have recommended that we implement SSL on our login forms. It is true this is not a Tapatalk issue - so much as a general issue that Tapatalk is only a part of.

    Thanks,
     
    #15 Phases, Aug 22, 2015
    Last edited: Aug 22, 2015
    MLSS, palmtree5 and Xyro like this.
  15. Phases

    Phases NO LONGER ADMIN

    While out doing some yardwork I got to thinking about this. I have a few things I need to say, which might upset a couple people but, it needs to be said nonetheless.

    First, I need to apologize to Tapatalk for helping fuel the hysteria. I see this being discussed in a few places around the web, and I know a lot of people like to hate on Tapatalk, so it is easy for these threads to snowball and my participation - well, I'm a little embarrassed to be honest. I tried to not jump the gun, I tested everything before speaking, but one small and hugely important factor here just... slipped my mind.

    I am not a security expert, so to speak. I am in the field a little, I do have exposure and I'm a real technical person. But of course, I'm no more right 100% of the time than anyone else in the world, so it's okay but - my point is: I already knew what Tapatalk argues, is the case, and I can't believe it didn't just hit me from the start. I don't know what happened, I guess I latched on to the tone of the report and kinda blindly took it as Tapatalk being less secure than anyone else. For that I apologize to Taptalk and all of you.

    The point is true - unless a site is using SSL (https) it's simply not secure. Tapatalk isn't doing anything less, in this regard, than your Internet browser on your Android phone or desktop is doing. In fact, one might argue it's doing more - at least it's putting the info into SOMETHING (base64).

    I can log into the site on my phone or desktop browser, analyze the packets that are out there, and the results are the same. In fact it is even clearer. Plain text as can be. I just did both just to verify what I already knew. This is why one shouldn't share passwords with non-https sites as you would with your most valuable logins, like a bank.

    This thread, this report, shouldn't be "since Tapatalk doesn't send your info securely, you should get https", it should be "You should get https."

    Unfortunately the web by default isn't secure, and people have to take steps to make it secure themselves. In fact, if I were Tapatalk, I would try to find a creative way to pass the credentials securely, if just so they can tout adding a layer of security to insecure sites when people use their product. But, regardless they are not at fault, the communities are, for being non-https.

    There are several claims out there questioning some of the Tapatalk business practices and coding, but those aside and in this instance - I retract any implication of fault/shadiness/poor practices.

    I have recommended we secure our login process with SSL. I have recommended the same in years past. In the meantime I will recommend to our community the same guidelines that should be given to all users on the web - don't use login credentials here or on any non-https site that are used elsewhere with the big data (financial, etc). The chances that someone is sitting in Starbucks with you trying to grab your AF credentials are less than not, but the chance exists. Should it happen, let's keep the damage to nothing more than your AF account and email address.

    In other words: Nothing to see here, folks. I do appreciate auto's good lookin' out, I very much do appreciate the report and research on his end, :) But my mistake for not taking this private much earlier to discuss why this may be nothing more than ordinary.

    I'll update the OP and leave the thread intact though, as I'm sure other admins are searching around for discussion around this topic as it makes the rounds.
     
    #16 Phases, Aug 22, 2015
    Last edited: Aug 22, 2015
  16. AZgl1500

    AZgl1500 Extreme Android User

    To some extent, I have a bit more protection than most, IF away from home.
    I always use VPN to tunnel out of any WiFi router that is not my own.

    I can also use it with DATA thru Verizon's network, but I haven't been doing that.

    But, once the VPN server is reached, then you are going to the website "in the open" again. But, probably less likely to be monitored that way, than if someone were listening to your phone's WiFi signal.

    Here on my desktop tower PC, I always run VPN... just do it as a normal thing. I like privacy and I don't like snoops tracking where I go.... my IP location jumps all over the place, I change it once in a while just for drill.

    A side note on this, is that I get the fastest downloads when using a VPN server located in Europe somewhere, the UK is very fast.... faster than any of the USA servers I have tried.
     
Loading...
Similar Threads - Tapatalk sends unencrypted
  1. dorlow
    Replies:
    5
    Views:
    299
  2. Corca
    Replies:
    4
    Views:
    435
  3. Roy Weil
    Replies:
    0
    Views:
    692
  4. Fireball411
    Replies:
    6
    Views:
    607
  5. estes53
    Replies:
    1
    Views:
    403
  6. Trom
    Replies:
    12
    Views:
    1,067
  7. Francesco10
    Replies:
    0
    Views:
    759
  8. kris443
    Replies:
    6
    Views:
    653
  9. OklahomaHoss
    Replies:
    6
    Views:
    1,080
  10. Francis Roads
    Replies:
    1
    Views:
    1,177

Share This Page

Loading...