| Author |
Message |
|
timark_uk
Moderator
Joined: Thu Apr 23, 2009 6:11 pm
Posts: 12143
Location: Belfast
|
I don't, and never have, had that TapaTalk app installed on any of my devices … and the redirect has just happened to me again on my iPad.
Mark
|
| Tue Dec 16, 2014 11:19 pm |
 
|
|
|
steve74
Doesn't have much of a life
Joined: Fri Apr 24, 2009 12:43 pm
Posts: 1798
Location: Manchester
|
Yep, me again, after emptying the history. But this one has a different address than the first one, though the same background image...  All a bit concerning. I realise there's nothing they can really steal here, no payment details or personal info other than email addresses, but would it be an idea to change login passwords?
_________________
* Steve *
* Witty statement goes here *
|
| Tue Dec 16, 2014 11:37 pm |
|
|
|
leeds_manc
I haven't seen my friends in so long
Joined: Thu Apr 23, 2009 8:19 pm
Posts: 5071
Location: Manchester
|
Judging by the background I'd say this was a message directly from the UN, I'd pay up very quickly. 
|
| Tue Dec 16, 2014 11:39 pm |
|
|
|
steve74
Doesn't have much of a life
Joined: Fri Apr 24, 2009 12:43 pm
Posts: 1798
Location: Manchester
|
Oh, I would if only I knew WFT Ukash or PaySafeCard vouchers were! What's wrong with good old fashioned PayPal? 
_________________
* Steve *
* Witty statement goes here *
|
| Tue Dec 16, 2014 11:47 pm |
|
|
|
cloaked_wolf
What's a life?
Joined: Thu Apr 23, 2009 8:46 pm
Posts: 10022
|
I've never had tapatalk on this iphone or the ipad. Just had the site come up when accessing the forum from a forum link on the homepage of the iphone via 3G.
_________________ He fights for the users.
|
| Wed Dec 17, 2014 7:47 am |
|
|
|
paulzolo
What's a life?
Joined: Thu Apr 23, 2009 6:27 pm
Posts: 12251
|
Is this a shared server? Are any other sites affected?
I just retried this on my iPad - and got a redirect. I noticed that the first redirect was to a domain with the words “moving on” in it - it was quite fast and I didn’t think to screen capture it. It’s odd, because when I tried to re-trip it (clearing cookies, restarting the iPad), it just went straight to the x404 home page as expected. So something is tracking IP addresses and ignoring frequent or closely spaced requests. Odd, but clearly designed to hinder any forensic testing.
What you can try is plugging your iPad into your Mac and using Safari to track what the iPad’s browser is doing. That’s handy for web dev work, but it could also be handy here, espcially if you have screen capture software to grab the sequence of events. I may try that later on.
I’ll try TunnelBear on my iPad - see if a change in “personality” trips it and I may be able to screen grab some transient domain names.
|
| Wed Dec 17, 2014 10:04 am |
|
|
|
saspro
Site Admin
Joined: Thu Apr 23, 2009 5:53 pm
Posts: 8603
Location: location, location
|
No other sites are getting this and tapatalk had a security breach earlier in the week (maybe earlier than that but they took a while to inform everybody). There's nothing in the htaccess files etc to do it, malware scans are clean and all the js that's used by tapatalk etc was clean but I removed it anyway. Looks like more investigation is needed
|
| Wed Dec 17, 2014 11:14 am |
|
|
|
paulzolo
What's a life?
Joined: Thu Apr 23, 2009 6:27 pm
Posts: 12251
|
 Looking around, it sounds like it was Tapatalk’s own server that was hacked, but there seems to be confusion over how far the reach is. Tapatalk are saying that the breach came through Wordpress and it affects your support.tapatalk.com login (if you have one). Other services are not affected:  | | | | Quote: if you have a login on support.tapatalk.com then you are affected. If you last logged in over 4 days ago, then it is unlikely your password has been disclosed as it was encrypted. If you logged in on (or since) the 10th of December then your password has been available in clear text to a person operating a server from Sweden The logins to support.tapatalk.com and every other tapatalk system are NOT related unless you used the same email address and password. Affected - support.tapatalk.com Unaffected - http://www.tapatalk.com- Admin control panels. - Tapatalk plugins - Tapatalk mobile apps If you log in via the app using google+/facebook (etc), then I will have to ask the devs to provide an exact answer as to how the one time tokens are passed from the external authentication providers to forums and how they are stored and then authenticated back | | | | |
I’ll see what I can get by connecting my iPad to my Mac and looking at the dev feedback. I expect it’s timed out and I’ll get more redirects. Edit: After a few attempts, I managed to get a recording of a session in Safari (you can do this by hooking your iPad to a Mac and using the Develop menu in Safari to see what’s being loaded etc.). I’ve got a movie of it which I’ve DMed Saspro about. Hopefully it will help in his investigations. It’s a hugger to trip too - I think there’s a script that’s logging IP addresses and only redirecting either randomly, or after a certain amount of time.
|
| Wed Dec 17, 2014 12:19 pm |
|
|
|
ProfessorF
What's a life?
Joined: Thu Apr 23, 2009 7:56 pm
Posts: 12030
|
It happened today again on my iPhone at work - logged into the college eduroam wifi.
A few of the teaching staff are curious to find out what's been prompting it.
Again, I'm not a tapatalk user, never have been, but interesting to find out how the attack has been engineered.
|
| Wed Dec 17, 2014 3:20 pm |
|
|
|
saspro
Site Admin
Joined: Thu Apr 23, 2009 5:53 pm
Posts: 8603
Location: location, location
|
I've made some changes this afternoon so hopefully it should be sorted after another cache clear.
The site is coming up clean on all the scanners I've found online so unless it's something well above normal access on the server there's no malicious code
|
| Wed Dec 17, 2014 3:27 pm |
|
|
|
cloaked_wolf
What's a life?
Joined: Thu Apr 23, 2009 8:46 pm
Posts: 10022
|
_________________He fights for the users.
|
| Wed Dec 17, 2014 9:11 pm |
|
|
|
cloaked_wolf
What's a life?
Joined: Thu Apr 23, 2009 8:46 pm
Posts: 10022
|
_________________He fights for the users.
|
| Wed Dec 17, 2014 9:17 pm |
|
|
|
paulzolo
What's a life?
Joined: Thu Apr 23, 2009 6:27 pm
Posts: 12251
|
Not seen those URLs, but, yes, the problem repeated itself on my iPad. It’s now restarting because the Safari crash was a little nastier this time, it seems.
|
| Wed Dec 17, 2014 9:27 pm |
|
|
|
brataccas
I haven't seen my friends in so long
Joined: Thu Apr 23, 2009 9:14 pm
Posts: 5664
Location: Scotland
|
this is what happans when you mock the illuminati
_________________
|
| Wed Dec 17, 2014 10:15 pm |
|
|
|
paulzolo
What's a life?
Joined: Thu Apr 23, 2009 6:27 pm
Posts: 12251
|
Getting initially redirected to sanojum.uk.to and then on to bookkeepinggals.com - I can trigger the behaviour fairly easily using TunnelBear to change my geographic location. If I disable JavaScript, then it doesn't happen. Right now, I am wondering about two possibilities:
1 - a file in a Wordpress theme is no longer what we think it is - it's being served as a script instead of an image, for example. The file name says "I'm a graphic" the contents is a spot of JavaScript.
2 - One of those social media buttons has been compromised in some fashion. They tend to be iFrames, constructed with JavaScript, and they load more than an image - they are whole web pages.
I am speculating about these - but with JavaScript off, it seems that the problem goes away.
|
| Wed Dec 17, 2014 10:33 pm |
|
|
