allowed me to enter someone else's account and cancel their reservation - Zero Day Vulnerability

Comments · 1163 Views Zero Day Vulnerability - I got a mail from for a confirmation of a booking which i didn't make. I checked the email and and the link took me to confirmation page on And i cancelled the booking only to realize later that let me enter..

I woke up today morning with an email on my mobile from stating:

Thanks! Your booking is confirmed at K Hotel 14 (SG Clean)

I checked the legitimacy of this email and this was indeed from

So i checked if i ever made any booking on and to my surprise there was not a single record in booking history on So i came back to this email and cliked the link they provided me.

I thought someone got access to my credit card and using it on site. To my surprise provided me all the confidential details to edit the reservation on the website in my email itself. They provided me the confirmation id and the confidential PIN which should never be shared in the email.

I cancelled the trip and booking immedialey only to realize later that it wasn't credit card scam but a vulnereability from the that they sent the email to wrong person along with all the confidntial details to change or cancel the booking.

This is the proof that i was allowed to cancel someone else's reservation on

I would report this to and see if they close this Vulnerability.