The vulnerability is horizontal privilege escalation. The PIN reset function – while updating the PIN for the current user – also attaches all the personal data in the POST request. This allows the attacker to tamper with the request, exchanging his username with the victim’s username and setting a new PIN for the victim.
Many web developers know about SSL/HTTPS, but it is very common to see it only partially deployed, or not deployed where it should be. This basic guide by @Erik Romijn on when and how to deploy SSL/HTTPS will help you avoid the most common mistakes.