I just noticed that when using the standard new site template in asp.net 4 and enabling oauth, you can hijack or overwrite other accounts.
Say you create an account for mike@mike.com.
Then you login via google with tom@tom.com and asp.net asks for you to enter an e-mail address to link with your local account.
Now you enter mike@mike.com with a new password.
And voila, mike can't log in anmyore, since tom signed up. Not sure if tom is hijacking mikes account or just deleting it, but this definitly isn't a feature to be to proud of.
Can you reproduce this?