Security researcher Vangelis Stykas published a blog post on Friday outlining that Tapplock API endpoints have literally no security checks beyond checking whether there was a valid token.So if you create a Tapplock account and gain a login, you will be able – again – to open every single Tapplock out there.
Source: Unbreakable smart lock devastated to discover screwdrivers exist • The Register