Anyone with administrative access to the machine could run a capture on the loopback interface and gain access to the plain-text passwords. It's certainly an issue, albeit a limited one (the same user could sniff your keystrokes, etc.).
The author gives his justification for full disclosure in the last paragraph. As I wrote yesterday [0], opinions vary regarding "responsible" disclosure -- and the "discoverer" gets to decide how he wants to handle things.
Maybe I'm not understanding fully how this works, but couldn't any user with administrative access already gain access to this information anyway? It's obviously got to be stored unencrypted in the browser's memory, regardless of how it gets there; I'm not sure what the difference is here.
They could, sure, but this lowers the bar, I think. It's a helluva lot easier to simply fire up a packet capture for a few minutes and grab the credentials from that than to go sifting through all the gigabytes of RAM for the credentials.
I don't think you even need administrator access to the machine. The ports being listened to aren't protected ones, and the process is running as the regular user. Any process running as that user could kill the other process and bind to those ports.
The author gives his justification for full disclosure in the last paragraph. As I wrote yesterday [0], opinions vary regarding "responsible" disclosure -- and the "discoverer" gets to decide how he wants to handle things.
[0]: https://news.ycombinator.com/item?id=11206955