Most people would think it is unethical of a company to knowingly distribute a serious security breach in their server-side API code and also collect user information from someone else's website and forward it to their own server. This type of activity most certainly violates many privacy policies.
Here is something that was uncovered after reviewing the Tapatalk server-side API code obtained from Tapatalk site, June 9, 2015:
The Tapatalk API sends your logged in session id and the url of your post to tapatalk.com. Why does Tapatalk need a logged in session id and what exactly do they do with it? Having a logged in session id enables Tapatalk to obtain supposedly private account information from the forums you access. There are other unwanted actions that could be taken with a logged in session id such as impersonating your account.
The following article on php session hijacking describes exactly this scenario which is implemented in the Tapatalk API:
http://resources.infosecinstitute.com/php-session-ids-the-risks-2/
The Tapatalk API is effectively implementing a "Session Hijacking Attack" as shown in the following, although the sequence may be different:
Session id leaks are considered to be a major security breach:
There are several ways to leak an existing session ID to third parties. A leaked session ID enables the third party to access all resources which are associated with a specific ID. First, URLs carrying session IDs. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session IDs will flow in plain text over the network.
http://php.net/manual/en/session.security.php
Here's the code in the Tapatalk API. This code is invoked on posts made to the forum via the Tapatalk API:
In mobiquo/function/invitation.php:
if(!empty($_POST['session']) && !empty($_POST['api_key']) && !empty($_POST['subject']) && !empty($_POST['body']))
{
$_POST['submit'] = true;
$GLOBALS['_REQUEST']['message'] = $_POST['message'] = $_POST['body'];
$email = new mobi_acp_email();
$push_url = "http://tapatalk.com/forum_owner_invite.php?PHPSESSID=$_POST[session]&api_key=$_POST[api_key]&url=".urlencode($furl)."&action=verify";
$response = getContentFromRemoteServer($push_url, 10, $error, 'GET');
if($response) $result = json_decode($response, true);
if(empty($result) || empty($result['result']))
if(preg_match('/\{"result":true/', $response))
$result = array('result' => true);
if(isset($result) && isset($result['result']) && $result['result'])
{
if(!empty($_POST['username']))
{
$GLOBALS['_REQUEST']['usernames'] = $_POST['usernames'] = $_POST['username'];
$GLOBALS['_REQUEST']['send_immediately'] = $_POST['send_immediately'] = true;
}
$invite_response = $email->main('email', 'email');
-------------------------------------------------------
Here's the code where the emails and instant messages are prepared and sent:
in mobiquo/include/mobi_acp_email.php:
Collect email address and instant message id directly from forum user database (phpbb), include "inactive" users:
if ($usernames)
{
// If giving usernames the admin is able to email inactive users too...
$sql = 'SELECT username, user_email, user_jabber, user_notify_type, user_lang
FROM ' . USERS_TABLE . '
WHERE ' . $db->sql_in_set('username_clean', array_map('utf8_clean_string', explode("\n", $usernames))) . '
AND user_allow_massemail = 1
ORDER BY user_lang, user_notify_type'; // , SUBSTRING(user_email FROM INSTR(user_email, '@'))
}
If user has included instant messages in their account settings, prepare instant message:
($row['user_notify_type'] == NOTIFY_IM && $row['user_jabber']) ||
Send email or instant message:
if (!($messenger->send($used_method)))
{
$errored = true;
}
Forum administrator has a log of all emails and instant messages sent:
if ($usernames)
{
$usernames = explode("\n", $usernames);
add_log('admin', 'LOG_MASS_EMAIL', implode(', ', utf8_normalize_nfc($usernames)));
}
) 
