Third Party Information Disclosure to Session Hijacking in KAYAK mobile application

Original Post:
Account Takeover in KAYAK
We discussed this vulnerability during Episode 183 on 30 January 2023

Starts off with an exposed activity in the KAYAK app, ends up with session hijacking.

The exposed activity was the ExternalAuthLoginActivity it could be called from any application/website. That isn’t necessarily a problem, but one of the things this activity does is it will attempt to read an EXTRA_REDIRECT_URL from the intent, append a parameter to the URL containing the user’s KAYAK session cookie value.

So any malicious website could launch this intent, and recieve a callback with valid session cookies for KAYAK.