An attacker can submit arbitrary projects to their service accounts and obtain full information on projects of other users.