I've just confirmed this locally. As a guest user, I'm able to create a direct call to a signed-in FxA user via their email address. According to RT, this shouldn't be possible, as it creates the possibility to spam logged in users without being logged in.
That's correct, thanks for reporting!
Assignee: nobody → rhubscher
Status: NEW → ASSIGNED
Created attachment 8500417 [details] [review] Link to GitHub PR.
Comment on attachment 8500417 [details] [review] Link to GitHub PR. r+ing for me and tarek since he's off until wed.
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Part of 0.12.4/0.12.5
Version 0.12.5 is out in Stage and in Prod.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.