I woke up today morning with an email on my mobile from Booking.com stating:
Thanks! Your booking is confirmed at K Hotel 14 (SG Clean)
I checked the legitimacy of this email and this was indeed from Booking.com
So i checked if i ever made any booking on booking.com and to my surprise there was not a single record in booking history on booking.com. So i came back to this email and cliked the link they provided me.
I thought someone got access to my credit card and using it on site. To my surprise Booking.com provided me all the confidential details to edit the reservation on the website in my email itself. They provided me the confirmation id and the confidential PIN which should never be shared in the email.
I cancelled the trip and booking immedialey only to realize later that it wasn't credit card scam but a vulnereability from the Booking.com that they sent the email to wrong person along with all the confidntial details to change or cancel the booking.
This is the proof that i was allowed to cancel someone else's reservation on Booking.com
I would report this to Booking.com and see if they close this Vulnerability.