The TalkAuthCodeActivity from loginWithKakaoTalk is leading to account takeover

Android
1

The current version are Kakao = “2.4.0” and KakaoUserSdk = “2.20.3”.

For example,
Intent intent1 = new Intent().setClassName(“xxx”,“FirstActivity”).putExtra(“url”,“https://ATTACKER.COM”);
Intent intent2 = new Intent().setClassName(“xxx”,“com.kakao.sdk.auth.TalkAuthCodeActivity”).putExtra(“key.login.intent”,intent1);
Intent intent3 = new Intent().setClassName(“xxx”, “SecondActivity”).putExtra(“xxx”, intent2);
startActivity(intent3);

When we start the intent3:

  1. It will be delivered to the SecondActivity
  2. The SecondActivity will start the TalkAuthCodeActivity
  3. The TalkAuthCodeActivity will start the FirstActivity (the screen with user already sign in) leading to account takeover

Is this a known issue,

  • if yes, how can I set up the environment to prevent it?
  • if no, would you come up with the solution to solve it?
2

Hello,

intent redirection / nested intent abuse is a well-known Android security issue (see CWE-926). If an SDK or your app starts untrusted Intent objects received from outside without validation, it can lead to account takeover or session hijacking.

App-Level Hardening Against Intent Chaining

The attack scenario you describe works because an attacker passes a nested Intent as a Parcelable extra, and your app (via SecondActivity) eventually starts it without sanitization.

A. Reduce Exposure in AndroidManifest
Sensitive activities (like your FirstActivity that shows a signed-in screen) should not be exported (android:exported=“false”).

If SecondActivity must receive external intents:

  • Keep intent-filter minimal.
  • Use App Links with HTTPS domain verification — avoid custom schemes where possible.

On Android 12+, explicitly set android:exported to the intended value.

B. Sanitize Incoming Intents
Don’t start incoming intents directly. Use AndroidX’s IntentSanitizer to whitelist only safe fields.
Never allow Intent-typed extras from external sources.

C. Verify Caller Package
If you only expect callbacks from KakaoTalk, use getReferrer(), getCallingPackage(), and PackageManager to whitelist the caller (com.kakao.talk).

D. Lock Down Intent Execution
Use setPackage(…) or explicit component names for targets.
Avoid Intent.createChooser(…) for security-sensitive flows.
Never execute nested Intents from untrusted input.
For PendingIntent, use FLAG_IMMUTABLE and do not hand it to external apps.

Re-check Kakao SDK Setup

  • Only expose AuthCodeHandlerActivity as per docs.
  • Match the exact redirect_uri you registered on Kakao Developers (e.g., kakao${NATIVE_APP_KEY}://oauth).
  • Remove any custom extra handling or intermediate activities not in the documented flow.
  • Use OIDC security parameters ( nonce) to protect against replay and CSRF.

Known Issue Status & Reporting

  • No public CVE or Kakao release note explicitly names this as a known “account takeover” flaw.
  • If you can reliably reproduce the attack, you should report it via Kakao’s Bug Bounty security channels with:
    • Exact environment & version
    • PoC steps
    • ADB logs / am commands or PoC APK