Patrick, take a look at you auth code on intersango. shore your own doors before you piss in other peoples pools.
Surely if there is an issue you can break in and steal the 10 BTC in the account with email
h4xm3@covertinferno.org whose password is imapassw0rd.
Shouldn't be to hard, right?
p.s. the attack works I tested it on several nodes which were running multiple bitcoind instances (which I called peers in the chat log).
p.p.s I disclosed this over a year ago but never got around to actually writing a poc because it's annoying to get the timing right on everything.