In muddling through a local implemantation of an OAuth client this morning I stumbled upon an oddity in the Twitter OAuth process: Even in the signature is invalid, the Twitter API with return an access token and an access secret. It's unclear if this is by design (although it seems unlikely), but other OAuth service providers such as Google do require correct Authentication in this case.
Here's the issue in a nutshell: http://gist.github.com/300146 And here's an interactive example demonstrating the issue: http://gist.github.com/300511 (I should note that even if I'm right and this is an actual vulnerability in the Twitter API, subsequent and real requests to the Twitter API still require the consumer secret to be signed correctly.)
