Right now, most people use Tent to share short 256 character long status posts with friends. Many independent developers are building other apps that use the Tent protocol.
The author should disclose if his start-up potentially competes with Twitter.
I agree, but I don't think it matters too much. He has reported it responsibly. Now, if he had come out with a "zero-day" report, then his competing status would be highly germane.
It was probably because of this competing (experimenting with feature sets, etc) that he found the issue in the first place.
You can spoof sender information even when you're running through a shortcode gateway, so short of requiring some sort of authentication on every transaction, there's no real way around this.
Just like email, you should never trust the remote identity.
I still (it's 2012!) can amaze/scare/shock people by sending mails as their so/dad/uncle/lover/boss. SMS is just the same and for just the same reasons it's 'okay' (the usual use case is beneficial: I might want to send mail and define the from header. I really might want to send a text message from a website that looks like it came from my mobile, and leads replies to end up on it).
Twitter has a PIN code feature that requires every message to be prepended with a four-digit alphanumeric code. This feature mitigates the issue, but is not available to users inside the United States.
So they fixed the problem... but are withholding the fix from tons of users?
As I've said previously, phone number is not identity and confusing the two is foolish.
What'sApp uses your phone number as the username and your IMEI backwards as the password, so I'd say they're a tad more insecure than even these folks.
The author should disclose if his start-up potentially competes with Twitter.