Security issue in OAuth Uploader tool

The OAuth Uploader tool has an outstanding security issue where any website can hijack a visitor’s account and make almost arbitrary edits (and some other actions) on Wikimedia Commons if the visiting user is logged into OAuth Uploader. Details of this issue can be found in T257484 (security-restricted), but there has been no response from @Magnus Manske yet. Maybe this task can bring some more attention to the problem.

Users of the tool can mitigate the risk by logging out as soon as they are done with their work. As far as I can tell, the tool has no “logout” feature, so the only way to log out is to delete the cookies for magnustools.toolforge.org using their browser’s developer tools. Alternatively, they can revoke OAuth Uploader’s access on Special:OAuthManageMyGrants.