Clients can use the avatar and alias parameter of outgoing messages to impersonate other users in group chats.
Description
The Meteor call sendMessage allows usage of custom avatar and alias, which in combination allows impersonation of other chat room members. Spoofed message senders can potentially be used in social engineering attacks.
https://hackerone.com/reports/1031525