I'm sure there are hundreds of holes just waiting to be found in the site.
One example would be using a flash script to redirect the user to the website stealing their cookies, giving you access to their account. Don't go off and do this now, people. It's possible that Tom and Waid have uber admin accounts and they can edit anything at the click of a button. If they ended up watching one of those movies. Argg it'd be hellish.
Anyway... I wouldn't do anything but report to Tom and Waid about the security hole, so they could fix it. Defacement is for losers.