Comment 4 for bug 1299012

I think the attack scenario is a bit far-stretched. Chaining tokens was never documented as a way to securely perform 2-factor auth (and IMHO should never be used for it, this bug being fixed or not). This should definitely be fixed but I don't think we should consider it an exploitable vulnerability.

Unless someone complains we shall open this bug and fix it quickly in public.