• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Tapatalk sends unencrypted passwords over the web.

autonomous1

autonomous1

Newbie
Edit by Phases: Please see this response.

Since Tapatalk sends unencrypted passwords over the web it would be a good idea to maintain a valid security certificate and arrange to have Tapatalk users access the site via https. The Tapatalk password is encoded as base64, which can be easily decoded to cleartext. This issue was brought up to Tapatalk support over a year ago, and even though they acknowledged it and said it would be fixed soon, the security issue still exists. I captured a sample login message sent by the latest version of Tapatalk and decoded my username/password being sent over the web in base64 cleartext.

Here is the issue brought up to Tapatalk over a year ago:

Concerned user said:
I decided to run a packet capture on my home network to see how secure the TapaTalk login process was. this was tested on v. 4.3.0 of tapatalk - vbulletin 3.8.7

I was very disappointed to see that TapaTalk is simply base64 encoding the password before sending across the network! If someone is sniffing traffic on the network they can *instantly* reverse your password by coping and pasting it into looks like this:

http://www.base64decode.org/

Simply unacceptable coding practices here.
Click to expand...

Tapatalk said:
Thank you for your reporting, we will fix this in next plugin version. Actually it already works for vb4 versions.
I've sent you a pm on a temporary fix, please check.
Click to expand...



https://support.tapatalk.com/thread...sword-when-transmitting-across-network.23244/

NET::ERR_CERT_AUTHORITY_INVALID

Subject: androidforums.neverstill.com
Issuer: androidforums.neverstill.com
Expires on: Apr 15, 2016
Current date: Aug 18, 2015
PEM encoded chain: -----BEGIN CERTIFICATE-----
MIIDfzCCAmegAwIBAgIFAkTLF2wwDQYJKoZIhvcNAQELBQAwWDElMCMGA1UEAwwc
YW5kcm9pZGZvcnVtcy5uZXZlcnN0aWxsLmNvbTEvMC0GCSqGSIb3DQEJARYgc3Ns
QGFuZHJvaWRmb3J1bXMubmV2ZXJzdGlsbC5jb20wHhcNMTUwNDE2MDk1MzEzWhcN
MTYwNDE1MDk1MzEzWjBYMSUwIwYDVQQDDBxhbmRyb2lkZm9ydW1zLm5ldmVyc3Rp
bGwuY29tMS8wLQYJKoZIhvcNAQkBFiBzc2xAYW5kcm9pZGZvcnVtcy5uZXZlcnN0
aWxsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALrSsn/YQ8lK
X62HZBlRPS5XotHs1qZLEhukHGs/uLp+QoY+Pd5x2iJ1HmYIw8c4DYnmXhm+2t2p
3qkGWd2/E79Qv9ffaKkWQt4kzuKnIBweHLk+jOofZ93oToBO2zbmmsyPGDRVs9vf
WD3MrYoglgUMYN93oELLxf7FHlJklE1nd1WH37wr7eb7DEEJu8DTcCgDOrejdquS
EjcHYbI4XMTMf3rz5DLzNqTGEDYi+aRuwEjtrJ5FZ2CqSIDjOtx8TY/h86+5DQRK
cNPer/Fg+2EngVTLbn1iFXkLbfHKlK2WUxTAxHqjrGoI6T43d3hoaxokCWef7L3O
GBWOxFtwlRECAwEAAaNQME4wHQYDVR0OBBYEFKKUGS5mwyggR0tc5tL4F8FVKkC9
MB8GA1UdIwQYMBaAFKKUGS5mwyggR0tc5tL4F8FVKkC9MAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAJVNhFY7ssM3+NUBGhuu1LXyLQ+lByft4HZ5kNYQ
0blo4s0MKI+2WFNVGhgq8T7799zm1bQL6xJR+clcCfnIBDYwTICMRQDjg10yr3dG
upsqvq8yU5PMGHtpVVNpRuFJACQ5CzUB4jLCJOFDMTWcslGA5JChb1SR/ALXJu0T
EPCHQnSqTAf+ZWaITtq0i9ng3sUD9dgKz2aPBysClmkkoceMQ0BbBpJvZveRTjOb
rhjQW7qglyzKx6OvrrwMiFv2ay/XWQh+LrgeBgNTf39CLPuIBl/4yia07xhI4K9i
EO+T+iX4/lp2X4RmDABbBWp6t+tKgwM4AJFiMrXKZQmTx98=
-----END CERTIFICATE-----
 
Last edited by a moderator:
Check the files it stores on your phone. It probably still stores your password in clear text on your phone. They fixed it for one update, then reverted back when I reported it a couple of years ago.
 
I don't have it installed and my device isn't rooted for me to check. I'll look into it later if I have a chance, but I'm taking off for the weekend.
 
Phases said:
So to be clear, while TT is hopefully no longer (Can someone verify?) storing plain text passwords on devices, it is sending them plain text (well, base64) over the web, for the world to intercept?
Click to expand...

I recently verified Tapatalk is sending passwords in cleartext over the web with two methods:

A) Capture of login requests sent from Tapatalk Android app. The test setup was Bluestacks, ProxyCap and Charles Proxy. In the captured xmlrpc login request message, the password is stored as base64 and was decoded with an online base64 decoder.

B) Examination of Tapatalk server-side api code that handles login request processing. The Tapatalk server api generates a php password hash on the cleartext password before comparing to the hashed password stored in the user table.
 
Goodbye Tapatalk/Forums for Android app.
Man,do I miss the OG PHANDROID APP ........
 
I have done some testing and confirmed this with our branded AF app. Still working on official TT app. Auto, if you don't mind I'm going to PM you some details and questions.

Appreciate it, as for everyone else - will update soon.
 
Have confirmed it with the official TT app now as well. Will put something together and address it head on with TT and/or Rob to see what sort of fix we can get put in place. They should patch this, but if we must I do like the SSL for TT communications idea.
 
I confirmed it in the TT server-side API code for Xenforo as well. The TT api invokes the Xenforo validateAuthentication function which accepts a cleartext password retrieved from the TT login request message.

Here are the relevant sections of code:

TT api installation: mobiquo/include/login.php:

Code: 
$userId = $userModel->validateAuthentication($data['login'], $data['password'], $error);

The Xenforo validateAuthentication function takes a cleartext password and invokes authenticate, which generates a hash on the password and compares with the hashed password stored in user table:

validateAuthentication invokes:

Code: 
authentication->authenticate($user['user_id'], $password))

source code is here:
https://github.com/mars236/Sando/bl...8797372d84e930/library/XenForo/Model/User.php

Xenforo validate function:
Code: 
public function authenticate($userId, $password)
{
if (!is_string($password) || $password === '' || empty($this->_data))
{
return false;
}
$userHash = $this->_createHash($this->_createHash($password) . $this->_data['salt']);
return ($userHash === $this->_data['hash']);
}
}
source code is here:
https://github.com/mars236/Sando/bl...8797372d84e930/library/XenForo/Model/User.php
 
Last edited:
I have tested this myself two different ways two different types of networks with two different types of software to sniff the data. I have found this to be true with both TT client and our branded app.

A report has been put together and sent to Rob with findings and suggested approaches to 'fix''.

Will update.

Thanks!
 
tapatalk said:
This is the official response:

https://support.tapatalk.com/thread...eb-misleading-false-claim-topic-locked.31541/
Click to expand...

So this is your official response on that thread:

Unless your site is running HTTPS then every web browser will be submitting a cleartext password in some form, either directly from a form post or in the form of a MD5 hash, and anyone in the position to undertake a Man in the middle attack will be able to gain access to this information. This is the mechanism provided by every forum regardless of having Tapatalk installed or not, and the only method that HTTP provides. This is not unique to tapatalk as this is the behavior on every forum, from every client where HTTPS is not used.

There is an argument to the storing of passwords on a device so that they can be used to log into forums. This is where the device operating system security takes over and where it should prohibit rogue applications from gaining access to to locally stored passwords. Again this is not something that applies only to Tapatalk, especially with rooted devices that severely degrades the operating systems ability to restrict access. Almost all applications installed on your phone will store passwords in a way so that they can be passed to servers to authenticate. Gmail does it, facebook does it, even the one-time-password systems store secret keys in plain text in SQLite databases.

The only solution to provide password security on your forum is to enable HTTPS
Click to expand...

Interesting read here too btw: https://theadminzone.com/threads/tapatalk-sends-unencrypted-passwords-over-the-web.135833/

I have read all the responses. I have done further testing myself. I agree with your assessment:

"The only solution to provide password security on your forum is to enable HTTPS"

I have recommended that we implement SSL on our login forms. It is true this is not a Tapatalk issue - so much as a general issue that Tapatalk is only a part of.

Thanks,
 
Last edited:
Phases said:
So this is your official response on that thread:

Interesting read here too btw: https://theadminzone.com/threads/tapatalk-sends-unencrypted-passwords-over-the-web.135833/

I have read all the responses. I have done further testing myself. I agree with your assessment:

"The only solution to provide password security on your forum is to enable HTTPS"

I have recommended that we implement SSL on our login forms. It is true this is not a Tapatalk issue - so much as a general issue that Tapatalk is only a part of.

Thanks,
Click to expand...

While out doing some yardwork I got to thinking about this. I have a few things I need to say, which might upset a couple people but, it needs to be said nonetheless.

First, I need to apologize to Tapatalk for helping fuel the hysteria. I see this being discussed in a few places around the web, and I know a lot of people like to hate on Tapatalk, so it is easy for these threads to snowball and my participation - well, I'm a little embarrassed to be honest. I tried to not jump the gun, I tested everything before speaking, but one small and hugely important factor here just... slipped my mind.

I am not a security expert, so to speak. I am in the field a little, I do have exposure and I'm a real technical person. But of course, I'm no more right 100% of the time than anyone else in the world, so it's okay but - my point is: I already knew what Tapatalk argues, is the case, and I can't believe it didn't just hit me from the start. I don't know what happened, I guess I latched on to the tone of the report and kinda blindly took it as Tapatalk being less secure than anyone else. For that I apologize to Taptalk and all of you.

The point is true - unless a site is using SSL (https) it's simply not secure. Tapatalk isn't doing anything less, in this regard, than your Internet browser on your Android phone or desktop is doing. In fact, one might argue it's doing more - at least it's putting the info into SOMETHING (base64).

I can log into the site on my phone or desktop browser, analyze the packets that are out there, and the results are the same. In fact it is even clearer. Plain text as can be. I just did both just to verify what I already knew. This is why one shouldn't share passwords with non-https sites as you would with your most valuable logins, like a bank.

This thread, this report, shouldn't be "since Tapatalk doesn't send your info securely, you should get https", it should be "You should get https."

Unfortunately the web by default isn't secure, and people have to take steps to make it secure themselves. In fact, if I were Tapatalk, I would try to find a creative way to pass the credentials securely, if just so they can tout adding a layer of security to insecure sites when people use their product. But, regardless they are not at fault, the communities are, for being non-https.

There are several claims out there questioning some of the Tapatalk business practices and coding, but those aside and in this instance - I retract any implication of fault/shadiness/poor practices.

I have recommended we secure our login process with SSL. I have recommended the same in years past. In the meantime I will recommend to our community the same guidelines that should be given to all users on the web - don't use login credentials here or on any non-https site that are used elsewhere with the big data (financial, etc). The chances that someone is sitting in Starbucks with you trying to grab your AF credentials are less than not, but the chance exists. Should it happen, let's keep the damage to nothing more than your AF account and email address.

In other words: Nothing to see here, folks. I do appreciate auto's good lookin' out, I very much do appreciate the report and research on his end, :) But my mistake for not taking this private much earlier to discuss why this may be nothing more than ordinary.

I'll update the OP and leave the thread intact though, as I'm sure other admins are searching around for discussion around this topic as it makes the rounds.
 
Last edited:
To some extent, I have a bit more protection than most, IF away from home.
I always use VPN to tunnel out of any WiFi router that is not my own.

I can also use it with DATA thru Verizon's network, but I haven't been doing that.

But, once the VPN server is reached, then you are going to the website "in the open" again. But, probably less likely to be monitored that way, than if someone were listening to your phone's WiFi signal.

Here on my desktop tower PC, I always run VPN... just do it as a normal thing. I like privacy and I don't like snoops tracking where I go.... my IP location jumps all over the place, I change it once in a while just for drill.

A side note on this, is that I get the fastest downloads when using a VPN server located in Europe somewhere, the UK is very fast.... faster than any of the USA servers I have tried.
 
You must log in or register to reply here.
Back
Top Bottom