Why is it click-bait? It just says that support for the Bluetooth API was added. Why would anyone extract from that that there were no safeguards in place against abuse?!
I agree the fact that an explicit user interaction is required doesn't necessarily constitute a safeguard. How many times has my Android phone updated an app, which inexplicably now requires additional permissions. Formerly it only needed access to my media. Now it needs access to my phone logs, GPS, address book, etc. etc. Confirm? [Yes] [Cancel]. Like most users, I update the app every time. So when this Bluetooth system says "This web app needs access to your Bluetooth Home Thermostat system. [Accept] [Stop using App] people will more than likely press accept, and away we go.