On December 14th, 2015, a bug bounty hunter called blikms reported an open redirect vulnerability on Shopify, an e-commerce service that provides easy ways to create an online store for people who are not specialized in development.
In Shopify's features, you can buy themes to modify an aspect of the store. blinkms discovered the vulnerability on this module.
The following URL was found to be vulnerable:
https://app.shopify.com/services/google/themes/preview/supply--blue?domain_name=example.com
Using this link, you could modify the redirection stored in the domain_name parameter to other sites without validation. The vulnerability could be exploited to redirect the user to malicious sites or to steal the OAuth token in the website.
If you want to read more about this bug, visit https://hackerone.com/reports/101962.