Not only was the flaw unaddressed, the decision was made to make it harder to see who is requesting the code - the app now only shows the user an accept/reject button. The replay attack can be done entirely passively, without any awareness that it has taken place, even by a user who is paying attention.