It was just as obvious two months ago as today, but now people have a one word conceptual model to use without needing to understand cookies, browser requests, proxies, broadcast domains, or cross site issues.
Obvious to us. Amazing to the normals.
That was the problem with before: in order to understand the threat, you needed to have a sophisticated mental model to be able to convince yourself "Yes, while I am unaware of any actual threats that use this, but I can see the potential for abuse." You needed to be able to deduce a threat from first principles. But once an actual threat exists, you get a shortcut; you can work backwards from the known threat rather than forwards from the system itself.