Which is why the point doesn't make sense. The article says tokens were leaked. There are plenty other places where such bug could happen, so it shouldn't serve as a strong validation of "User impersonation code always terrifies the bajeebus out of me".
(Not to mention it's not really user impersonation, it's just filtering your profile page based on computed access level of one of your friends.)