Yeah, the seat is the problem. There are a LOT of security systems that depend on assuming the holder of a large random string, like a guid, is the proper holder of that string so it's not necessarily a bad thing for the match. They should have made the seat index random as well though they are probably now just checking credentials.

Looks to me like they only verified match ids, not the seats at all.