Tapo app security breach?
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
This post has nothing to do with my camera/s, but it is the only way I can find to bring this issue up.
I opened the Tapo app on my phone today and instead of the normal screen it opened showing what looked like a partially transparent full screen overlay showing a live view of somebody elses' lounge, which I have never seen before.
Under the overlay, I could make out the normal opening screen, but I was so taken back by it I spoke exclaimed "what the heck!". Moments later, I heard my own words repeated back to me, but not from my cameras because I was too far away from them for this to be possible, the repeat came through my phone speakers.
Now before anyone can claim I was picking up my neighbours Wifi or something similar, that is physically impossible because my closest neighbour is more then 141 Metres away and there is an earth hill between us. The next closest one is 500m away and behind a thick grove of trees, so we essentially have fully isolated WiFi.
I found I could tap the name of one of my cameras through this random overlay and as soon as I did that, the overlay disappeared and the app returned to normal.
Now I do not use any of the web services to upload footage from my cameras, I use the SD-Card exclusively because we have a monthly limit and I don't want to consume my data allowance.
Has anyone ever seen or reported anything like that before? How was it possible a live view of somebodys lounge who I do not know, have never seen and will lilkely never know to be displaying on my Tapo app when I only have my own cameras setup?
Surely this has to be a serious security flaw that needs to be escalated to the highest point for investigation and immediate resolution.
UPDATE
Thank you for the link to support, I somehow missed it so my search-fu was lacking that day.
I've had some extensive conversations with TP-Link Head Engineer and after exhausting all the possibilities, it appears there was a phenomenon that happened once and once only on my phone during the Tapo app startup sequence. Since this post, TP Link have done some extensive investigations on their servers and in particular, connections with my devices and no trace logs or anomalies could be found. I was assured the security model and that it had not been compromised. I'm satisfied with the outcome, some additional reporting tools were provided that I can use in the future if any such thing should happen again so I'll go with that.
Nevertheless, I still had an incident that caused me no shortage of alarm at the time, therefore I thought it prudent to at least provide some details of the phemonenon I experienced by way of 2 images. One image shows my normal Tapo app startup page which dispolays the contents at "My Home --> Favorites", and the second shows a mock-up of the phenomenon I experienced.
My resultant mockup is taken from 2 phone screenshots and using Graphics editing apps on my Laptop, I overlayed one snapshot on top of the other, masked and shaded some areas then set the opacity of the top layer to 82%. This most accurately rendered the equivalent look of my phones screen at the time. Note, I restarted my phone 2 days prior, after receiving a substantial security update from the manufacturers.
As this was the first time I opened Tapo since the restart, the Tapo Splash displayed as expected, however, on this occasion, the Tapo splash did not fade within the normal half second spin up time. Instead of the normal My Home --> Favorites page being displayed, this random footage or static image, I can not tell what, was displayed in the exact location as would a normal review of recorded content through the standard Tapo playback.
