It's not a client-side fix. Just stop the server from sending the token/link to the clients. Sure, that might degrade the client experience a bit(assuming that the client isn't just displaying a webview in which case no degradation would occur) but it would fix the problem for now.
Later on you can take your time rolling out a client fix if it's required, but a hotfix server-side is entirely possible, there's no excuse keeping this vulnerability possible when it's been made this public(step by step instructions to hack someone's account, with screenshots!) especially since you were contacted privately about it ~3 months ago.