How an Improper Access Control Vulnerability Led to Account Theft in One Click

This HackerOne report explains improper access control risks, business impacts, and remediation guidance, and highlights a critical real-world example where a malicious deeplink in the KAYAK Android app allowed an unauthenticated attacker to steal session cookies and perform one-click account takeover; KAYAK issued a patch via Google Play the next day.