OAuth - Consumer secret in open-source applications

Question

I'm creating a Wordpress plugin for collectively managing a Twitter account. I want to allow the user to add accounts via the Admin panel similar to the way twitterfeed.com does.

However, the only way I can see of doing it is to get the user to sign in to their account, register the application under a unique name and paste in the Consumer Key and Consumer Secret to my application.

What are the security repercussions of simply distributing a single Consumer Key and Consumer Secret with my plugin, so that I can get the Request Token and Access Token and minimise the effort required by the user?

Answer 1

As I understand it, the biggest issue (I'm not sure it's necessarily a security issue) is that someone will use your Key/Secret inappropriately (let's say a spamming application) causing it to get revoked. At that point, every instance of your plug-in will fail to authenticate and you'll have to generate a new one, incorporate it in your plug-in and get all the users to update. Which is probably not ideal...

Ars Technica had a pretty good write-up about it here