Skin Change API Endpoint allows skin changes via auth bearer for accounts with security questions

The bug

The API endpoint for changing player skins allows the user to change their skin without asking the user for their security questions which neither the Minecraft launcher nor the browser allows.

How to reproduce

1. Make sure you have security questions set for your account
2. Get the authentication bearer from Yggdrasil
3. Send a POST request to Minecraft's skin API – the server will return 204 and change the account's skin even though security questions are set

I've written a Java class using Apache HTTPComponents and JSON-java for changing the skin of an account via this API endpoint. If you have access to an unmigrated Minecraft account, you can use this class to reproduce this issue.