Hi Peter,

I agree, that's why I said at the top of this post "Twitter has a gaping security hole. "

There is nothing to suggest that OAuth itself is flawed - nor is it less secure than giving a random site your password. I'd much rather use OAuth.

But if someone does have your password, and uses OAuth before you have a chance to change it, they will still have access to your account even after the password has changed.

I haven't exaggerated anything. Create a dummy account and try it for yourself if you don't believe me.