I read an article documenting Twitter abruptly pulling its OAuth support back in April 2009. The article said it wouldn't specify the hole for security reasons, but mentioned "social engineering" is involved.
I'm guessing that the hole is that a malicious site can pretend to be using OAuth, and redirect the user to a phishing site meant to mimic Twitter in an attempt to get their username and password. Is this correct?
Additionally, whatever the flaw is, how is it being addressed in 2.0?