diff --git a/History.md b/History.md
index b2919c34c6..ab0a6507de 100644
--- a/History.md
+++ b/History.md
@@ -29,6 +29,13 @@
   - Node.js from 0.10.25 to 0.10.26.
   - MongoDB driver from 1.3.19 to 1.4.1
 
+
+## v0.8.0.1
+
+* Fix security flaw in OAuth1 implementation. Clients can no longer
+  choose the callback_url for OAuth1 logins.
+
+
 ## v0.8.0
 
 Meteor 0.8.0 introduces Blaze, a total rewrite of our live templating engine,
diff --git a/docs/.meteor/release b/docs/.meteor/release
index a3df0a6959..4b324f2d8f 100644
--- a/docs/.meteor/release
+++ b/docs/.meteor/release
@@ -1 +1 @@
-0.8.0
+0.8.0.1
diff --git a/docs/lib/release-override.js b/docs/lib/release-override.js
index df4928d93b..6ca2e658be 100644
--- a/docs/lib/release-override.js
+++ b/docs/lib/release-override.js
@@ -1,5 +1,5 @@
 // While galaxy apps are on their own special meteor releases, override
 // Meteor.release here.
 if (Meteor.isClient) {
-  Meteor.release = Meteor.release ? "0.8.0" : undefined;
+  Meteor.release = Meteor.release ? "0.8.0.1" : undefined;
 }
diff --git a/examples/clock/.meteor/release b/examples/clock/.meteor/release
index a3df0a6959..4b324f2d8f 100644
--- a/examples/clock/.meteor/release
+++ b/examples/clock/.meteor/release
@@ -1 +1 @@
-0.8.0
+0.8.0.1
diff --git a/examples/leaderboard/.meteor/release b/examples/leaderboard/.meteor/release
index a3df0a6959..4b324f2d8f 100644
--- a/examples/leaderboard/.meteor/release
+++ b/examples/leaderboard/.meteor/release
@@ -1 +1 @@
-0.8.0
+0.8.0.1
diff --git a/examples/parties/.meteor/release b/examples/parties/.meteor/release
index a3df0a6959..4b324f2d8f 100644
--- a/examples/parties/.meteor/release
+++ b/examples/parties/.meteor/release
@@ -1 +1 @@
-0.8.0
+0.8.0.1
diff --git a/examples/todos/.meteor/release b/examples/todos/.meteor/release
index a3df0a6959..4b324f2d8f 100644
--- a/examples/todos/.meteor/release
+++ b/examples/todos/.meteor/release
@@ -1 +1 @@
-0.8.0
+0.8.0.1
diff --git a/examples/wordplay/.meteor/release b/examples/wordplay/.meteor/release
index a3df0a6959..4b324f2d8f 100644
--- a/examples/wordplay/.meteor/release
+++ b/examples/wordplay/.meteor/release
@@ -1 +1 @@
-0.8.0
+0.8.0.1
diff --git a/packages/oauth1/oauth1_server.js b/packages/oauth1/oauth1_server.js
index 32334a0de3..49189f41db 100644
--- a/packages/oauth1/oauth1_server.js
+++ b/packages/oauth1/oauth1_server.js
@@ -11,9 +11,11 @@ Oauth._requestHandlers['1'] = function (service, query, res) {
 
   if (query.requestTokenAndRedirect) {
     // step 1 - get and store a request token
+    var callbackUrl = Meteor.absoluteUrl("_oauth/twitter?close&state=" +
+                                         query.state);
 
     // Get a request token to start auth process
-    oauthBinding.prepareRequestToken(query.requestTokenAndRedirect);
+    oauthBinding.prepareRequestToken(callbackUrl);
 
     // Keep track of request token so we can verify it on the next step
     Oauth._storeRequestToken(query.state,
diff --git a/packages/twitter/twitter_client.js b/packages/twitter/twitter_client.js
index 5d8da022a2..628d7485d2 100644
--- a/packages/twitter/twitter_client.js
+++ b/packages/twitter/twitter_client.js
@@ -24,14 +24,9 @@ Twitter.requestCredential = function (options, credentialRequestCompleteCallback
   // a credentialToken parameter to the url and the callback url that we'll be returned
   // to by oauth provider
 
-  // url back to app, enters "step 2" as described in
-  // packages/accounts-oauth1-helper/oauth1_server.js
-  var callbackUrl = Meteor.absoluteUrl('_oauth/twitter?close&state=' + credentialToken);
-
   // url to app, enters "step 1" as described in
   // packages/accounts-oauth1-helper/oauth1_server.js
-  var loginUrl = '/_oauth/twitter/?requestTokenAndRedirect='
-        + encodeURIComponent(callbackUrl)
+  var loginUrl = '/_oauth/twitter/?requestTokenAndRedirect=true'
         + '&state=' + credentialToken;
 
   Oauth.showPopup(
diff --git a/scripts/admin/banner.txt b/scripts/admin/banner.txt
index cb26735a33..92f42a493e 100644
--- a/scripts/admin/banner.txt
+++ b/scripts/admin/banner.txt
@@ -1,7 +1,4 @@
-=> Meteor 0.8.0: Introducing Blaze, Meteor's new live templating engine!
-   Better integration with jQuery plugins, fine-grained updates,
-   reactive SVG support, and more!
-   https://github.com/meteor/meteor/wiki/Using-Blaze
+=> Meteor 0.8.0.1: Fix security problem in Twitter OAuth flow.
 
    This release is being downloaded in the background. Update your
-   project to Meteor 0.8.0 by running 'meteor update'.
+   project to Meteor 0.8.0.1 by running 'meteor update'.
diff --git a/scripts/admin/notices.json b/scripts/admin/notices.json
index a0374986de..3d232543db 100644
--- a/scripts/admin/notices.json
+++ b/scripts/admin/notices.json
@@ -94,6 +94,9 @@
   {
     "release": "0.7.2"
   },
+  {
+    "release": "0.7.2.1"
+  },
   {
     "release": "0.8.0",
     "notices": [
@@ -111,6 +114,9 @@
                    "http://madewith.meteor.com/ no longer supports app badges."]
     }
   },
+  {
+    "release": "0.8.0.1"
+  },
   {
     "release": "NEXT"
   }