From the advisory
"The attack starts with the attacker logging into an account he owns
at the (honest) Consumer site. The attacker initiates the OAuth
authorization process but rather than follow the redirect from the
Consumer to obtain authorization, the attacker instead saves the
authorization request URI (which includes
the Request Token). Later, the attacker convinces a victim to click on
a link consisting of the authorization request URI
to approve access to the victim’s Protected Resources to the (honest) Consumer.
By
clicking on the link, the victim continues the request that the
attacker initiated, including the Request Token that the (honest)
Consumer issued to the attacker. Note that the victim is redirected to
the legitimate approval page at the Service Provider and prompted by
the Service Provider to approve the (honest) Consumer. It is not
possible for the victim to detect that there is an ongoing attack.
After
the victim grants approval, the attacker can use the saved Request
Token to complete the authorization flow, and access whatever Protected
Resources are exposed by the (honest) Consumer site as part of its
service."
Advisory Link: http://oauth.net/advisories/2009-1
Additional reading: http://www.hueniverse.com/hueniverse/2009/04/explaining-the-oauth-session-fixation-attack.html