It came from the same developer. The mere fact that he was that sloppy in securing a publicly-facing service to leave a vulnerability so severe and so easily discovered should have you asking: why should I believe that anything else in this project is any more robust and secure (and will be in the future)?