A flaw was found in Moodle prior to 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
moodle moodle