Tapatalk Plugin bypasses SMF security functions

[Onkel Hannes]

Hi,

I am part of the admin team of a forum running SMF 1.1.18. On request of our users we have installed the Tapatalk plugin about one year ago.

This is no direct request for support (we are aware that TT is a third party mod, but -according to it`s website- it is "approved" by SMF). It is a sort of bug report. The TT support forum has few posts regarding such issues, and we feel that this report belongs here, as most users in the TT forum seem to care about getting TT running without interfering with advertisement, and don`t care for other issues.

We would be curious if other SMF administrators can reproduce and confirm the issues we found.

We have fery few other mods installed, the only mod that in our eyes could interfere is the cb|Emailogin, as we have been subject to dictionary attacks against user accounts in the past. cb|Emailogin disables login by account name, and requires the user to enter his registered email address instead.

Just by case, I noticed that using TT, one can still log in using his username, bypassing the required email address. One of our moderators noticed that word censoring does not work with TT as well.

So we checked several functions with TT, and found the following issues:

• TT bypasses cb|Emailogin (see above)
  


• TT bypasses word censoring
  TT users see censored words uncensored
  


• TT partially bypasses hidden online status
  Moderators and Admins have their online status (green dot) hidden. TT does not show hidden online users in the list, but shows the green dot in any post when the hidden person is online.


• TT bypasses IP ban
  A user banned by his IP can log in. SMF shows the banned user as guest, and therefore cannot be identified by administrators. However, the user has read access to boards that he should see only as regular member.
  Every request by a IP banned user creates a record in the error log file however, flooding it with messages.


• TT bypasses IP display in profile
  The profile of a TT user shows an empty IP and hostname field. The user`s IP is however visible for administrators in the message body if the user posts a message.


• TT bypasses log functions
  A user logging in via TT and entering a wrong password does not create an entry in the error log file. As the SMF standard login is via username, and the email address required by cb|Emailogin is disregarded, a malicious user could run dictionary attacks against user passwords without triggering the log functionality, and thus is difficult to discover by administrators.

We run the TT 2.1.0 plugin. We realize that there is a newer 2.1.1 released some days ago, but considering the above issues and the fact that there is no real change log ("some bugs fixed"), we did not install the upgrade yet. Instead we consider disabling TT completely.

Can anyone reproduce the above behaviour?

Regards,

Onkel Hannes

[Arantor]

It would not even remotely surprise me that it bypasses much of what goes on.

Given its nature, the TT app on mobile devices communicates with the mobiquo folder as an API.

emaillogin is a mod, they can't necessarily adhere to it (I doubt their app, on probably millions of devices by now, sends email addresses)

Word censoring can actually be disabled by users if you allow them to (see the current theme page as to whether the option is enabled or not)

Bypassing hidden status, bypassing IP ban, these things I can well imagine would be the case, though note that mobile device IP bans are unreliable at best based on the proxies used by mobile ISPs.

Ultimately you should take this up with TT, because they're the ones who need to fix it. A review was done initially but not on subsequent updates (and if there is an issue, there is the report button which can be used to notify the mod moderators here)