That's a great reason to use OAuth for third party API access. But Tesla doesn't have a third party API. Tesla doesn't share passwords with third parties. Owners wanting to use third party applications (which have reverse engineered Tesla's app's communication) would have to share their passwords, which is on the customer and unwise. Even then, owners can change their passwords and any existing tokens are invalidated and third party apps would then be locked out. Remember, all this communication happens through Tesla's servers, not directly to the car. The argument seems to be that Tesla should have made a third party API to avoid the potential for their customers to share their passwords with third parties. That's a reasonable argument, but not a security flaw on Tesla's part.

Right, but then how is this a flaw on Tesla's part?

Read the article. This 'flaw' requires a Tesla owner's email address AND password to 'exploit'.

I created an account just to be a part of this... :)