Maybe I'm missing something, but it looks to me like the signature param is never verified during OrdersController#postfill. That means that anyone could construct a URL for that action.

Granted, it doesn't seem too worrisome given what that controller does, but someone could, for instance, potentially snag an authorized token, change the shipping address, and then pass along the altered values to the Selfstarter app.