After a user has bought a ticket, an example of a ticket would look like, but due to missing validation, the URL can be shortened to

This allows an attacker to take the ID value from another purchase in the download_ticket parameter and iterate through the order_key parameter from 00000000 to 99999999 and steal tickets from other participants