Twitter OAuth feature can be abused to hijack accounts, researcher says