Can someone summarize if (and how) this is different from the timing attack on OAuth from last year that prompted OAuth 1.0a?