This is important; while it's not really a general vulnerability, you could run into a lot of trouble if someone's performing a targeted attack. I don't think I'd ever really read anything in any consumer-facing OAuth2 documentation about the important of state, and given the breadth of sites vulnerable to the issue, it seems like a lot of other people don't know about it either.
Patching this in my Rails apps was easy; it's a trivial solution, but I'm leaving it here to demonstrate that it's not a hard fix.
When generating the URL to redirect to for authorization:
Then, pass state as a param when generating my OAuth authorization URL.
When the authorizing endpoint returns:
session_state = session["#{service}_oauth2_state"]
if params[:state] != session_state or session_state.blank?
render :text => "Unable to validate login state." and return
end
It's worth noting that I did have to update Koala (the Facebook API library we're using) to get arbitrary parameters passed through to #url_for_oauth_code. Older versions had a hardcoded list of parameters, which did not include state.
