I have been pecking away at building an online service for the last year. I spent three months just getting the oath implementation functional (I couldn't use an existing implementation). I still wasn't satisfied
Then I read this. Twice
Win for me... I think I was actually vaguely aware of this and covered the risk. So I think I'm ok
1. I intentionally took measures that cover the described scenario
2. I don't store anything that should be considered private
Maybe I'll read it again just to be sure