While the blogpost is interesting, I am skeptical of the author's claim that the recovered private key may be used for decrypting user data transmitted over the wire, since private keys cannot be used for encrypting data sent to somebody else.
What it can all do by itself is to decrypt data sent from others, or to digitally sign some data.
I would suspect that the bundled private key was used for digitally signing data to show that it was actually generated by the software. The approach is not perfect (since the private key may get decrypted as the author did), but in general it would work effectively for kicking out third party software.
If the developer's intention was to encrypt the data transferred through the public network, then he/she should have used TLS with server-side authentication, with optionally using clear-text credentials transmitted over the encrypted channel to authenticate the software (e.g. basic authentication over HTTPS).
If it gets proved that private information could be decrypted from data transmitted over the public network by using the recovered private key, then this would be an interesting case of misusing public-key cryptography.
It is true that the software is used for MITM. It is true that _Superfish_ is in the middle, decrypting the communication.
OTOH the author claimed that it might be likely for _others_ as well to possibly MITM the communication, by using the recovered key. My comment is that such a situation is unlikely under the premise that the public-key encryption technology was used correctly (from technical standpoint, not ethical).
EDIT: Even if it was the case that the recovered private key was used by the MITM server running locally for communicating with the web browsers, it wouldn't mean that others could use the key to decrypt data transmitted over the wire by using the key, since all the communication encrypted by the key would terminate within the local machine.
EDIT2: Ah sorry, now I understand. The root certificate installed by the adware was using the recovered private key. That would mean that others can MITM the communication by DNS spoofing, etc. together with a server certificate signed with the recoverd key.
What it can all do by itself is to decrypt data sent from others, or to digitally sign some data.
I would suspect that the bundled private key was used for digitally signing data to show that it was actually generated by the software. The approach is not perfect (since the private key may get decrypted as the author did), but in general it would work effectively for kicking out third party software.
If the developer's intention was to encrypt the data transferred through the public network, then he/she should have used TLS with server-side authentication, with optionally using clear-text credentials transmitted over the encrypted channel to authenticate the software (e.g. basic authentication over HTTPS).
If it gets proved that private information could be decrypted from data transmitted over the public network by using the recovered private key, then this would be an interesting case of misusing public-key cryptography.