Is this saying that the presence of the state parameter creates an opportunity for CSRF? Can you explain the gist a little more?
Does the presence of the state parameter make any difference in this scenario?
My understanding that the purpose of the state parameter itself is to help prevent CSRF (see: http://instagram.com/developer/authentication/) which states:
"Note: You may provide an optional state parameter to carry through any server-specific state you need to, for example, protect against CSRF issues."