Hello Ago,
I have edited your post to remove discussion of the attack and reported it as https://tracker.moodle.org/browse/MDL-57580 (which is security restricted)
I have done this due to our security policy of responsible disclosure. If this is indeed a bug, then we would like to fix it before revealing the details.