REGISTER_GLOBALS was apparently turned on and he used session IDs. In various places on the site he was getting user Ids and whatnot for the current session.
If you had an account and were signed in and knew a user ID, you could go their profile and it would set the current session to their profile ID, when you went to "My Account" you had access to all of the OTHER persons info. This included the ability to change passwords and e-mail and whatnot. Not cool. Luckily the site has only been live for a day so it's doubtful anyone else has discovered it. The server he had to use was a shared server, so he couldn't really change the settings, but he had a workaround by changing the variable names.