Look, it's fair to freak out, but it's also fair to point out that most people have known about this problem for a long time. I was scrubbing my hashes of unwanted keys as far back as when I wrote ma.gnolia.com in 2006.
And it was considered common knowledge back then. And most people don't fix it using attr_protected, so are we really sure that all those projects are vulnerable? A simple string search would not suffice.
Eric executed actual attacks against all the projects mentioned in the article. Most of them resulted in data corruption (e.g., making a page unviewable by setting a non-existent user ID) but on one he was able to change his order status to "paid".
And it was considered common knowledge back then. And most people don't fix it using attr_protected, so are we really sure that all those projects are vulnerable? A simple string search would not suffice.