It's not clear. The relevant text seems to imply that an attacker can link their own device to a target account via providing a malicious URL (vs. commandeering an already-legitimately-linked device, which I guess is what you're imagining). That sounds like a legitimate flaw. But there are no details.