Expedia Group Bug Bounty: Cache Deception Allows Account Takeover

A vulnerability allowed an attacker to extract a user's session token from a cacheable page, leading to account takeover. The session token was reflected in the response of a cacheable URL, and the server responded with a 200 OK. The caching server saw the response as cacheable due to the file...