• fox@vlemmy.net
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    However, the two Jumpsec Red Team members found that they could go around the restriction by changing the internal and external recipient ID in the POST request of a message, thus fooling the system into treating an external user as an internal one.

    so they only do the check on client side. classic.