> Five minutes later, I check and it had found a /cancel.php URL that accepted an ID but the ID wasn't exposed anywhere, so it found and was exploiting a blind SQL injection vulnerability to find my reservation ID.
xkcd was prescient once again... https://xkcd.com/416/
Hell, this one time, my AI assistant hacked itself trying to book an appointment for me!