The advisory is up at http://oauth.net/advisories/2009-1 and the blogs are abuzz with more (or, in enough cases, less) information. Basically, the problem is that an attacker can keep a request token around and have the victim complete the authentication with the old request token, thus gaining authorization in the victim's name. There is no way for the consumer to tell what's going on, currently.
The suggested workarounds are monitoring and a strong statement about starting Auth workflows from untrusted places. But we all know how well those work. I'm curious about OAuth 1.1 or whatever.
Didn't any qualified security researchers do a security assessment of OAuth when it was in development? This spec was finalized in 2007 which means we've had at least two years to find this obvious problem.
We've known from the start that OAuth and OpenID are vulnerable to various social engineering attacks, and I guess the communities using each have accepted that as the lesser of two evils. But, you know, somebody has to check that the protocol actually works at least a little.
The CNet article claims the vulnerability involves "social engineering" attacks that will coerce users into giving up personal information. "Social engineering" in web apps is usually code for "landmine links", and the OAuth protocol itself doesn't communicate any user information of any sort (just an opaque token).
