(I'm the researcher in question).
This was the result of a lot of research over some weeks. A lot of people have asked me whether I think this was being used in the wild.
On one hand - it was hard to find, but on the other hand it has probably existed for years, so it is really hard to tell. It is quite worrying the impact it could have been having if it was known.
More technical details here: http://www.tomanthony.co.uk/blog/google-xml-sitemap-auth-byp...
(Tom works at my company)