Maybe I'm being dumb but
the page (alleged exploit) you link to appears not to be https and has no padlock in the browser, despite being the kind of page where sensible people might understandably want to see a padlock and/or https.
Now, I don't use googlemail and I'm not a web expert but when I went to mail.google.com I got https: in the address bar and a padlock in the status bar.
Did the author of the article try this?
Did the author of the article consider this ?
Is there any real significance of this exploit in the bigger picture? E.g. what kind of person would be fooled by this alleged "exploit", and if the victim can't tell the difference between secure and insecure why do they deserve an Interweb driving licence anyway?
Or have I misunderstood?
Have a nice weekend.