The offset is prepended in clear to the token itself, so that we can subtract it from the current time and get the original time slot. However, the time slot, salt and verification data are authenticated by means of the hash function, but not the offset. This means we can take an expired token and make it valid by simply increasing the prepended offset as much as needed to hit the time slot it was generated on. This is an important security issue as the tokens are therefore not bound to the current time at all.

In order to fix it, the offset itself is added to the hash computation, so that a change in the offset produces a new hash that won't match.