Booking.com allowed me to enter someone else's account and cancel their reservation - Zero Day Vulnerability

Comments · 8305 Views

Booking.com Zero Day Vulnerability - I got a mail from Booking.com for a confirmation of a booking which i didn't make. I checked the email and and the link took me to confirmation page on booking.com. And i cancelled the booking only to realize later that Booking.com let me enter..

I woke up today morning with an email on my mobile from Booking.com stating:

Thanks! Your booking is confirmed at K Hotel 14 (SG Clean)

I checked the legitimacy of this email and this was indeed from Booking.com


So i checked if i ever made any booking on booking.com and to my surprise there was not a single record in booking history on booking.com. So i came back to this email and cliked the link they provided me.


I thought someone got access to my credit card and using it on site. To my surprise Booking.com provided me all the confidential details to edit the reservation on the website in my email itself. They provided me the confirmation id and the confidential PIN which should never be shared in the email.

I cancelled the trip and booking immedialey only to realize later that it wasn't credit card scam but a vulnereability from the Booking.com that they sent the email to wrong person along with all the confidntial details to change or cancel the booking.

This is the proof that i was allowed to cancel someone else's reservation on Booking.com



I would report this to Booking.com and see if they close this Vulnerability.

Comments