Terence Eden wrote in his blog post that Twitter has a gaping security hole and that changing the password won’t stop malicious users logging in as you.
Implementation error
I'd say that this is both Twitters fault and OAuth. If you suspect that someone has compromised your account and you change the password, the OAuth token should be deleted. Even though the documentation doesn't suggest it, the engineers that implemented it should make sure that if you change your credentials, the token is removed from all connecting sites.
Easy to use vs Security
Hijacking session tokens is a general design problem for a lot of social networking sites, because they want to ease the login procedure for members and still keep the sessions secure. There was a similar security threat reported for Facebook and MySpace, that malicious applications in Flash could read the member tokens to take over their account.
This is not a problem only for Facebook, Twitter or even OAuth, but a system design issue for websites in general that use these there technologies. You must always look at what data can be accessible by whom. Especially when you allow 3:rd party applications, or user generated content.
