I've seen many implementations of OpenAuth in web apps. And everywhere I looked, one step was always missing. The verification of the token.
Token is a little XML fragment with information such as your e-mail address or public ID in the service that you are using for authentication. For example, Google authentication contains your gmail address, and Twitter has integer, if I remember right. And it contains the digital signature to ensure the token wasn't created in notepad. Websites will not try to check the signature in it, because all they need is presented in clear text. They choose the path of least resistance, so to say.
In truth, most small software companies usually don't have people who bother to understand OAuth. Large software companies may have such person. But the funny thing - these guys usually don't go further than mocking you on using other ways of authentication, blindly believing that their implementation of OAuth (downloaded from source-sharing website few years ago, at best) is god-given and immaculate. Their use of OAuth code snippets is like praying in Latin - they don't understand a fck about what they do, but it feels like Greater Power is taking a burden of thinking from them.