A particular implementation of OAuth was susceptible to a side-band attack.  Basically, you could get extra information about which part of your attempted fake-authentication packet was incorrect by timing how long it took for the server to reject it.

The protocol is still considered secure.  (Besides, I'm not sold on OAuth in particular, but something similar.  The key point is to not use simple password authentication, because then you end up with each client "caching" the users password independently which is a big security risk.)