Twitter Watch Out OAuth Has Security Problem with Exploits

Just as I was developing one web app, I found out that OAuth yesterday released security advisory which impacts sites like Twitter, Google, Netflix and few others which you can read about it here

So far it has not been reported to OAuth that any of these sites have been impacted by this security problem.

Details by OAth Advisory:

The attack starts with the attacker visiting the (honest) Consumer site, optionally logging into an account he owns at that site. The attacker initiates the OAuth authorization process but rather than follow the redirect from the Consumer to obtain authorization, the attacker instead saves the authorization request URI (which includes the Request Token). Later, the attacker convinces a victim to click on a link consisting of the authorization request URI to approve access to the victim?s Protected Resources to the (honest) Consumer.

By clicking on the link, the victim continues the request that the attacker initiated, including the Request Token that the (honest) Consumer issued to the attacker. Note that the victim is redirected to the legitimate approval page at the Service Provider and prompted by the Service Provider to approve the (honest) Consumer. It is not possible for the victim to detect that there is an ongoing attack.

After the victim grants approval, the attacker can use the saved Request Token to complete the authorization flow, and access whatever Protected Resources are exposed by the (honest) Consumer site as

part of its service. If the attacker has an account with the (honest) Consumer site, the access may persist in future visits.

XSRF protections at the Consumer site do not mitigate against this attack.

You can read more about this Security Advisory and Security Issue

Update: Looks like Twitter API lead is already aware of that (google groups)