In short: there's a security issue with OAuth, and the major OAuth
providers are working together to patch the vulnerability before
information about the issue is publicly released. That information
will be available at http://oauth.net/ at midnight, PST.
In cooperation with this consortium of other OAuth providers
(including Yahoo!, Google, Netflix, etc.), we agreed not to disclose
the nature of the vulnerability, nor even that a vulnerability
existed, until all members of the group agreed to do so. I apologize
for what must have seemed unnecessarily tight-lipped communication
around this issue, but please understand that we and the other
companies involved are trying to mitigate the impact of this
vulnerability as much as possible.
Please also note that our OAuth support is in beta, albeit public
beta. We have not suggested to developers that they rely solely on
OAuth until our support of the standard leaves beta. I know that some
companies practice a policy of "perpetual beta", but at Twitter, we do
not. For us, "beta" really means "still in testing, not suitable for
Thanks for your patience and understanding.
Alex Payne - API Lead, Twitter, Inc.