Yes they have hardcoded a key in terminal. This introduces another vulnerability. I will add the details in the bitcointalk post.

its not a vulnerability if they're modulating the hardcoded key per CJ round correct? as @waxwing suggested on original vulnerability disclosure post Jan 7th? either way, the server CANNOT give clients a unique key for identification.