FULL PUBLIC DISCLOSURE: Airbnb Dismisses Critical Android Phishing Vulnerability, Prioritizing Silence Over User Safety

After exhausting all private channels and escalation paths, I am compelled to make this disclosure to protect users. Airbnb has officially classified a reproducible, high-impact Android vulnerability as "Informative" (negligible risk), a decision that I believe severely undermines the security of their user base.

When a company's triage process fails to recognize a clear danger, the ethical responsibility falls on the security community to act. This disclosure is a direct result of Airbnb's inaction and their refusal to acknowledge the technical reality of this flaw.

The Vulnerability: Deep Link Host Confusion

The flaw is a classic Host Confusion attack within the Airbnb Android app's deep link handler (DeepLinkEntryActivity). The app incorrectly parses RFC 3986-compliant URLs, creating a trust boundary violation.

· The Exploit: https://www.airbnb.com@url

· The App's View: Validates the host as the trusted www.airbnb.com (from the userinfo part) and launches.

· The Browser's View: Navigates to the malicious host attacker.com.

The result? The official Airbnb app is weaponized to launch a high-trust phishing attack, directly leading to Account Takeover (ATO).

Refuting Airbnb's Dismissal: Evidence from System Logs

Airbnb's triage team claimed a user would not associate the browser session with the Airbnb app. The system logs I provided during the report directly contradict this.

1. App Activation Proof: The system log shows the official Airbnb app is explicitly started to process the malicious URL:

   START u0 {act=android.intent.action.VIEW ... cmp=com.airbnb.android/.lib.deeplinks.activities.DeepLinkEntryActivity}

2. Official Referrer Proof: The app passes an undeniable signature of its involvement to the browser:

   Intent referrer extra: android-app://com.airbnb.android

This is not a simple open redirect. This is a trust chain compromise where the app's own authentication as a trusted entity is exploited to lend credibility to a malicious site.

The Impact: From Theoretical to Account Takeover

The risk is HIGH. By abusing the trusted relationship users have with the official app, an attacker can create a highly convincing phishing page that:

· Appears to be launched directly by Airbnb.

· Steals user credentials with a false sense of security.

· Leads directly to full account compromise.

The Corporate Failure

Airbnb's decision reveals a critical failure in their risk assessment:

· Their Stance: "Informative," "negligible risk."

· The Reality: A reproducible vulnerability with a clear path to Account Takeover.

I provided a 48-hour window to acknowledge the flaw and coordinate a responsible disclosure before this publication. Their silence confirms their priority: avoiding the financial cost of a bounty over the operational cost of fixing a critical user safety issue.

I have acted in accordance with the principles of ethical hacking. The responsibility for the public disclosure of this flaw now rests solely with Airbnb.

---

#FullDisclosure #CyberSecurity #AppSec #MobileSecurity #EthicalHacking #Vulnerability #Airbnb #HackerOne #TriageFail #AccountTakeover #Phishing #InfoSec