To improve security, rotate your passwords frequentlypic.twitter.com/ABn0NlvIbZ
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
the nonce isn't important so leaking to google doesn't matter. the new line injection is interesting but useless since if you modify the qr code the login becomes useless and thus can't use to hack.
Thanks David for taking the time & looking in to it. There are other implementations that generate the QR locally. If you're using line breaks when generating the URL, it won't send the signed response, so that's also unable to be abused. If you find anything else, let me know :)
doesnt really matter. since nonce is just random data. and qr code can not be modified and still be meaningful.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.