macOS client does not properly validate file uploads on its macOS inbox. That is because, by not setting the com.apple.quarantine attribute in the metadata of an executable file when it is uploaded, you allow the file to be executed on macOS without being checked by Gatekeeper.
Basically, the bug here is that when sending an executable as a message, when opening it, the "file cannot be opened because it is from an unidentified developer" doesn't pop-up, the executable just gets executed
https://hackerone.com/reports/1019389