I agree about the hacked browser. I think one of the main arguments by Eran against OAuth2 is that it is basically broken for mobile applications (non-web) and this is just another of the ways it is broken.
"For the love of phlegm...a stupid wall of death rays. How tacky can ya get?" - Post Brothers comics