Yep, for one, you shouldn’t be able to just hand over your credentials to other people and they can immediately start doing stuff in your systems.

Also, the ability to impersonate people (not just celebrities) should require at least manual approvals. Not sure why this ability even exists.

The original speculation (that it was an API vulnerability) is actually easier to stomach.