Lots of companies do this. I've seen it on HN even. We probably should consider it an attack, but there's no way regulators will go for it. There are counter measures against it though, but I doubt anything is foolproof
Or, use a web browser that doesn’t support any cross site state, at all.
I’d love to have such a browser, and to disable the browser that came with my phone, but does not have this property.
(Things like firefox focus or the duck duck go browser for iOS try to do this; I’m not sure if they succeed, but they should protect against the attack described in the article, at least.)
Don’t open a private window and log in to multiple things… problem solved?