After reading this I have no idea how he actually discovered the vulnerability, aside from a handwavy statement about messing with form input.<p>Most of the writeup is just a narrative about what he saw and who he talked to afterwards. I'm a little disappointed. I was hoping for more technical detail.
Wait, account passwords were visible?<p>Was this a case of account passwords being sent to Twitter Support by users - 'hey, I can't login, my password is bigclown' - or does Twitter Support have a way to access the user's actual password?<p>If it's the latter, that's a time bomb waiting to go off.
This reminds me of some flaw with Skype's billing system which allowed me to download invoices for virtually every paying business customer just by replacing some chars in a URL. The invoices included a lot of personal details together with various bank account & phone numbers.<p>Took me 8 months to get someone at Skype to acknowledge the issue; to my knowledge it was never escalated. Wouldn't be surprised if it's still there...
You usually don't have to write headlines like "1.5M users compromised!" to get people to fix trivial web flaws. Also, before asking VC's and posting public Twitter messages and spending two days trying to track down a security contact, try mailing "security@" <i>first</i>; as you discovered, that sensible default generated an immediate response.<p><i>Edited out "not '96 anymore", the word "breathless", and my assessment of his effort to track down security@ as "hinky"; I wasn't happy with the tone of this comment in retrospect either.</i>