Re: change the web address??
The way I read the info (on the original report directly), it's not that it was possible to read another users list of items, you have to know the user ID and item (certificate) ID. The items were sequentially numbered, but you had to know which user has which ID to find it.
It's still wrong, but not quite as simple as looking up another users entire item list - there's at least 2x10^13 possible combinations judging by the numbers on his report, and only 1/4,000,000 will produce a result.
I assume he tested by setting up a second account (or just logging out), so didn't access any records he shouldn't have access to. He'd also knew the account ID & record ID he was looking for, so wouldn't trip any alarms scanning through a million incorrect combinations first.