I really hope that Virgin are not stupid enough to go after you in some lawyery way over this. I think you are already running a risk by disclosing this at all. The usual next step when a company doesn't show willingness to fix a security problem is that they try and shoot the messenger :-(
It should be trivial for anyone who understands HTTP and threads to reimplement.