They done screwed up. They follow the link out, and pull out all the paths of all pages linked to by that page. But rather than requesting those from Twitter, they use their original connection and request them against *my* site (inc. using the host header for my site) 3/