When the user logs in, the password is validated against the UAS. The session id is supposed to be checked for validity while processing subsequent requests. Well... it's not. It is possible to bypass the login screen entirely and use the service.
Log in to post a comment.
