Shitty and shifty as Uplay is, it's funny how conspiracy theories are formed over even the stupidest things.
What happened is that the browser plugin was naively coded and a developer at Ubi thought "Yup, Base64, nobody will ever break that!" and nobody noticed it.
No amount of regular QA testing would've caught this, because, the feature it was made for worked as expected. Unless of course they have QA that focuses on security issues like this. What would've probably caught it in a blink of an eye is a peer review of the code written from someone who understands the implications of not filtering any user input.