Security flaw -- anyone with authorization can deselect any cape by UUID

This report will be updated as more information becomes available.

Earlier today every user with a cape cached on namemc.com had their cape selection reset by a malicious script. Here are some screenshots regarding it:
https://imgur.com/BQenbM3
https://cdn.discordapp.com/attachments/212266213085020161/426419176190640128/image.png (thanks to Aerh)

The cape itself is not revoked and can be re-selected on the profile page.

Quick work by Mustek narrowed down the issue: it is possible to send a cape deselect request to any UUID authorization, not specifically the authorization of that account.