I don't quite follow. The author says that by entering the URL "http://avlidienbrunn.se/@twitter.com/@hehe.php", the extension is fooled into autofilling as if the browser was on twitter.com.
A bug that tricks the secure password management tool into revealing your Twitter password to a website that is not Twitter! That's a pretty major security vulnerability due to a bug in URL parsing.
Yes, but some JavaScript can detect that the text field has been filled, and then send the information back to the attacker's server. An (innocent) example of this is when you type something into Google's search field, and you already see suggestions, even though you haven't clicked anywhere or hit Enter yet.
An attacker could fool the extension to autofill a form on a domain they control with credentials from another domain and send the credentials to their server.