Expected afaik. But I might be wrong, it might not fit in the realm of OWASP, but it is a glaringly obvious security flaw that any respectable team would get onto fixing asap.

It's a small change for large benefit. This is contrary to spam and fake account detection which requires constant monitoring and manual intervention because it is very easy to catch false positives and for people to work around when the problem is more subjective than objective.