Yes, the API is flawed. But as far as we know there is no actual danger as long as an owner doesn't hand credentials to a third party site.
I think there's a problem with the underlying assumption that empowering third-party sites to add value to your car is a bad thing.
I know I sorta suggested as much at one or more points in this thread. But it's not. They add value. Everyone legitimately does it all the time with a variety of web sites, including banking we sites. It is increasingly becoming an expectation.
If people think about it, they often think, "What is the worst that can happen?" And they still share their banking credentials with sites like Mint.com. In the case of Tesla, on the face of it, you might just think it's about honking horns.
For those that just don't agree with me and think I should never say anything negative about Tesla, someone else made a great point over on the Tesla Motors web site:
-> If one of these third-party sites gets hacked and it impacts a large number of Tesla owners, what do you think the press coverage is going to look like then? And who do you think will get blamed?
- - - Updated - - -
Sometimes all this tech talk does is to scare us innocents.....just sayin'.
I think, in this case, it should. At least a little.
NOT in the sense that there's some kind of immediately exploitable hole that will crash your vehicle.
But instead that there are real things you need to consider when you leverage third-party tools that aren't true of other, better written environments out there. I think any environment is flawed if it requires you to have this kind of special knowledge.