This is true, but this attack could work in an Iframe in the background without that click. An attacker could buy a popular blog on the note taking app, and run the Iframe in the background collecting data for years. The bug was at least 5 years old.