QIWI: account takeover https://qiwi.me

It was possible to takeover user account by sending wrong code parameter in /sms/confirm request. Problem is that code didn't have relation with current user session...