Here's a simplistic, real-world example of an open redirect at play. You might log into a website as a truly authentic user, but if a hacker has compromised a return URL, changing parts of the string after you have logged in will result in you being taken outside the application. You may not notice this as a user because the site that you have been redirected to could intentionally be created to look exactly like the original site.

A compromise in the URL is harder to detect with longer URLs, in which just changing a single letter does the job of tricking you into thinking you are on the same site. A hacker with intent will have almost an exact replica of the authentic site and when you are on their compromised site, they might ask you to log in again for a made-up reason, and there goes your username and password!