Facebook's OAuth2 implementation is so broken. Homakov found a X-XSS-Protection-related issue: <a href="http://homakov.blogspot.no/2013/02/hacking-facebook-with-oauth2-and-chrome.html" rel="nofollow">http://homakov.blogspot.no/2013/02/hacking-facebook-with-oau...</a>.<p>After reading Homakov's and Nir's discussions I started looking for some bugs myself. And guess what? ~10 hours later I found <i>another</i> access_token-stealing exploit that has the same implications as Nir's exploit (although mine doesn't work in all browsers). Reported it 2 days ago.<p>Wouldn't surprise me if there's more bugs/exploits to be discovered :(