Interesting findings. Though I didn't get why the author concentrated so much on the security issues of the UI while the real issue is that the whole thing is snake oil. I mean - what if the UI was great, had https and there were no CSRF vulnerabilities? Would this be considered a secure product?