IDOR – send a message on behalf of other user

I just found an IDOR in https://hello.dev.myhubs.net/. It allow attacker send a message on behalf of other user

Step to reproduce:

1. Admin: Create Room
1. Attacker: Join room
1. Attacker get “session_id” of other user in response “presence_diff”
2. Attacker send add “session_id” parameter to request send message
  
  [“8″,null,”hub:84fbckn”,”message”,{“session_id”:”<victim_session_id>”,”body”:”eeeee”,”type”:”chat”}]
3. Now the message will be send on behalf of victim