IDOR in activateFuelCard id allows bulk lookup of driver uuids
Discovered by cablej on Uber

This issue took 0 Days and 0 hours to triage and 321 Days and 14 hours to resolve once triaged.

Due to an IDOR in the <code>activateFuelCard</code> endpoint, an attacker could enumerate driver UUIDs. When given a sequential card ID number, the endpoint returned a driver’s UUID given, allowing an attacker to gather many driver UUIDs for use in a different attack.

Thanks, <a href="/cablej">@cablej</a>!