We found the bug in how Vetco generates PDF documents for its customers. Its PDF page was public and was indexed by Google, which is how we found it. Worse, an IDOR bug in the URL meant it was possible for anyone to obtain customer data by changing the customer's unique ID by a single digit. 馃う
