PayPal: [Venmo Android] Remote theft of user session

ID H1:401940
Type hackerone
Reporter bagipro
Modified 2019-02-07T23:05:45


A URL activity in the Venmo application used the built-in parser, which has a known logic problem with certain characters. If an external URL were passed from a website or other app on the device to the application activity, the app would open the URL without properly validating the destination. This could expose some session data to a third party.