This attack requires that you run JavaScript, which gets me thinking, people browse hidden services with NoScript turned off? I leave it on for everything except trusted clearnet sites.