I agree about the hacked browser. I think one of the main arguments by Eran against OAuth2 is that it is basically broken for mobile applications (non-web) and this is just another of the ways it is broken.

I was wondering where Kim Stanley Robinson got the idea for moholes: http://en.wikipedia.org/wiki/Project_Mohole