IOVLabs disclosed a bug submitted by luk-matczak: https://hackerone.com/reports/502207 – Bounty: $2000 [Source]