I follow the issue of defeating the purpose of the sandbox -- the token is sent to a log where other apps can read it, so an app that has "read sensitive log files" and "access network" rights could run amok over the user's FB. The article goes on to describe getting access to other folks' accounts, but only after convincing them to enter credentials. But there are already plenty of drawbacks to installing malicious apps on your own smartphone, and lots of reasons not to enter credentials on some random device.
If a user had FourSquare (or Parse) installed during the time of the vulnerability, that exploit would've worked. Maybe hidden in an obscure (partly useful? Wallpapers of a hot movie at that time?) and simple app.
Although the user 'just' logged in to known apps and services on his very own device. So your argument about not entering credentials on random devices seems off to me. The one about not installing each and any application out there is correct and spot on, of course.
