In recent a few months a White Hat Hacker "
Nir Goldshlager " reported many critical bugs in Facebook OAuth Mechanism, that allowed an attacker to hijack any Facebook Accounts without Interaction.
Another Hacker "
Amine Cherrai " reported a New Facebokk OAuth flaw , whose exploitation is actually very semmiliar to Nir Goldshlager findings but with new un-patched way.
Now if you aware about the vulnerability , used against Facebook OAuth in redirect_url parameter in the URL, there is another way that
Amine Cherrai found, to bypass thet patch applied by Facebook Security Team.
He found another fie on Facebook , that allow redirection to steal access token of victims accounts.
http://facebook.com/connect/xd_arbiter.php?#&origin=http://facebook.com/” . Succesfull exploitation once again allowed hacker to hijack Facebook accounts using OAuth Flaw.
Proof Of Concept
http://facebook.com/dialog/oauth?client_id=350685531728&response_type=token&display=page&redirect_uri=http%3A%2F%2Ftouch.facebook.com%2Fconnect%2Fxd_arbiter.php%3F%23%21%2Fapps%2Fmidnighthack%2F%3F%26origin%3Dhttp%3A%2F%2Ffacebook.com%2F
Video Demontration
By the way this bug was closed by
Facebook Security Team few days back and your social account are once again secured , till next finding!
TheHackerNews.