Not sure wether we already fixed this one: Dan Reed discovered that a user can send and listen to messages on another user's per-user session bus if they know the address of the socket.
*** This bug has been marked as a duplicate of 80601 ***