I agree about the hacked browser. I think one of the main arguments by Eran against OAuth2 is that it is basically broken for mobile applications (non-web) and this is just another of the ways it is broken.
The public is an old woman. Let her maunder and mumble. -- Thomas Carlyle