initialy I was more wondering about token security in general, for my own education, wondering why they could not be secured a step further, to make the use of stolen token much more difficult.
Then I guess it is all about combining security measure like lifetime of token, signing it, securing against script injection, avoiding any obvious back door etc. But also application side technics like multi-factor authentications, sending emails to owner when suspicious activity etc…
We are also depending on the seriousness and safety of all applications we are using …