Twitter does something I consider to be poor security-wise... not renaming, or removing EXIF information from, uploaded avatar images. There are a few potential security issues around this, all of which I've personally come across:

1. The image might be named with the person's first and last name - potentially disclosing more information than they intended to in their Twitter profile
2. Many people download their Facebook Profile picture to use on Twitter  - Facebook renames uploaded files to include the Facebook user ID, allowing you to easily find their Facebook profile (as opposed to trying to search on their first and last name)
3. If the original filename is unique enough you can often find other related pictures just by Goolging
4. You can use something like Jeffrey's Exif viewer to extract EXIF information from the image - often telling you what type of camera/phone the user has

Sure, they're small things, but for anyone wanting to Social Engineer the target it could certainly help. The frustrating part: it would take only few lines of code for Twitter to prevent this, and it really is (in my opinion) a "best practice" they're simply not bothering to follow.