Deonb, can't quote your long post. But two big issues identified:
1) 90% of Microsoft exploits are in private APIs.
Not sure where you get this. Can you provide a reference? This is not my experience, but maybe terminology getting in the way. P.S. I've got more than 30 years of experience in that field, with the last 13 as CTO of a network security company, and lead the security response teams with tens of thousands of networks under our management.
Our internal security training, as well as the breakdown of API bugs I fixed over the years. Part of this is that Windows internally is much more likely to call a private API than a public one, but it caused us to have to harden private and public API's just the same. So public API's generally had scrutiny on them to validate input, credentials, execution context etc. but private API's didn't go through this because it was assumed nobody could call them (well, years back).
Of course, malware needs access in the first place, which is gained through buffer overflow exploits, social engineering etc. This is the most widely publicized part of security vulnerabilities. However, after the malware has access, it needs elevation of privilege to do real damage. This is were API attacks come into play.
Anyway, the answer is yes I would hold Microsoft to the same. If they had a private API intended for one purpose, and third parties re-purpose that API for another purpose it was not suitable for, then something got exploited by the third party use that would not be exploitable with the original use, then I would neither call the API flawed for its original purpose, nor hold Microsoft accountable.
You're one of a few people then. Many (most?) people who looked at the famous Sony rootkit blamed Microsoft for allowing this in the first place. Perception is unfortunately everything. Whether that web site that they accessed uses some vulnerability in Flash, all that happens is people think Windows is broken.
If there is such an exploit, what is Tesla going to do? Say: "Oh, we created an API that we thought was secure and internal only, but someone has cracked it, and it's THAT thing they're using to exploit the car".
Short spin on that: "Tesla created an insecure API that they admitted was able to be cracked within a weekend. And you're trusting them to send you over the air firmware updates that can control your accelerator??".
Even a relatively benign hack of a Model S isn't going to go over well in it's current state.
Tesla SHOULD be able to say: "We designed this API really well so that you even an unscrupulous hacker can't do any real damage - go try your best. Free Model S to the first hacker that manages to damage a Tesla using the API". But at the moment all they can say is: "Well, you weren't supposed to be able to call this in the first place. Oops.". And therein lies the real problem.
2) Hacker website.
Using OAuth would have zero affect on that scenario.
The hacker would still collect the authentication tokens for hundreds of cars, and once he has enough could launch the attack.
The flaw here is giving control to untrusted third party websites, not the authentication mechanism.
Agreed, OAuth alone does not help. Think more of the Apple or Windows App Store models:
a) First of all, any addition of a new app, device or service that can control the car, needs to start in the car, not out on the web.
b) You need the ability to give specific apps & services specific privileges. If I use an app that is meant to monitor my battery and it asks for permission to see my location, unlock my car and open my sunroof, I'm not going to use that app.
c) The car should also be able to keep a log of when and where a service has connected to it, and for what purpose.
d) Tesla needs the ability to revoke access to an app at a moment's notice.
e) Finally, and probably most importantly, they need to provide an official mechanism to get access to apps and services that Tesla has verified, rather than driving the developer community underground.
Once there is a legit way to do all this, suddenly the non-legit way becomes a lot more suspicious. Lacking that, any one app looks the same as any other app.