It is now clear at this point how much damage the current security flaw can do since after all, you can’t really put that much code inside a tweet, but redirection is certainly a possibility and some spammers already took advantage of that by redirecting users to hardcore porn sites. Auto-tweeting is also an option with the possibility of generating even more spam.
Update: Twitter confirmed that the security exploit was fully patched. That was certainly fast!!!