I even performed the exploit on this board by pm'ing a mod and posting a phantom message as a non registered user.
Since bots are not able to PM i assume you hit a different bug whereby the session system used your registered user account but with the different user agent (we do not have browser checks enabled here). We fixed this by setting the bot variable to false if this is the case to not let the user "use" a different name but still being the registered user even if surfing with a user agent matching a bot.
I do not think the wording "exploit" is correct here. Sure, it is security related, but an exploit is a script you run to take down a board or perform malicious actions.
I also think we will deny access to the posting page completely for bots as we do this for the user control panel.
With the next update permissions will be refreshed completely within the database update script - preventing such things from happening again.