The emerging OAuth 2.0 Web API authorization protocol, already deployed by Facebook, Salesforce.com and others, is coming under increased criticism for being too easy to use, and therefore to spoof by ...