If I understand this right, the problem is "twitchsalt" has to be known so that you can generate the same hash for future logins. So it's just one iteration of hashing more for a brute force attempt (modern hashing algorithms already use multiple iterations of hashing to make brute forcing harder)

Well, bear in mind, the hacker also has the exact code Twitch uses to salt it's hashes.

The browser_hash is now the password.