If I can translate Thomas for the benefit of non-security professionals in the room, several researchers (most prominently, Egor Homakov) have repeatedly demonstrated the combination of a) using OAuth in certain configurations and b) having an open redirect on the OAuth consumer site allows an interested attacker to achieve privileges from the OAuth provider site to the limit of a trusted consumer site.
What does that mean? Alice uses Bob's site, which she trusts, and authorizes it to operate her Twitter account for some limited purpose. Bob's site includes an open redirect. Mallory carefully crafts a URL that theoretically exists on Bob's domain but redirects to a server Mallory controls (which displays a cute cat photo and exfiltrates the OAuth token) and then posts it, as one does with cat photos, somewhere where Alice can see it. If Alice sees that cat photo, Mallory can now manipulate Alice's Twitter account to the maximum extent permitted Bob.
What does that mean? Alice uses Bob's site, which she trusts, and authorizes it to operate her Twitter account for some limited purpose. Bob's site includes an open redirect. Mallory carefully crafts a URL that theoretically exists on Bob's domain but redirects to a server Mallory controls (which displays a cute cat photo and exfiltrates the OAuth token) and then posts it, as one does with cat photos, somewhere where Alice can see it. If Alice sees that cat photo, Mallory can now manipulate Alice's Twitter account to the maximum extent permitted Bob.