Starts off with an exposed activity in the KAYAK app, ends up with session hijacking.

The exposed activity was the ExternalAuthLoginActivity it could be called from any application/website. That isn’t necessarily a problem, but one of the things this activity does is it will attempt to read an EXTRA_REDIRECT_URL from the intent, append a parameter to the URL containing the user’s KAYAK session cookie value.

So any malicious website could launch this intent, and recieve a callback with valid session cookies for KAYAK.