It's not too hard to find vulnerabilities like this out there, but it is a true pleasure to see how well described and at the same time well documented the vulnerabilities and disclosure process in this case are handled. This makes it particularly useful to learn from as a real-life example. Well written, thank you for this cool piece of security work.