CRITICAL Insecure Direct Object Reference (I.D.O.R) - Link Other User's Credit Card

@hk755a discovered an Insecure Direct Object Reference Vulnerability that allowed an attacker to associate a randomly added (but subsequently deregistered) credit card with their own account, via the `/rewards/signup` endpoint. While the attacker would not have been able to use this credit card as their own (nor view any primary account numbers (PAN) for said cards), the attacker may have been able to glean the transaction history associated with the card, as well as cash back amounts received. Yelp was able to quickly validate and fix the vulnerability within two days. Thanks to @hk755a for working with us to fix this bug!