Pinoy Hack News – PHN
Because the flaw can not cause much security issue, the security researcher published its details and explained in his website.
“The parameter ‘redirect_uri’ suffers from an open redirect vulnerability but the parameters ‘app_id’ or ‘client_id’ are required for a redirect to take place so therefore they must be given a value, but as there is no validity checks in place any random INVALID value is accepted.”
The security flaw is accordingly already reported to Facebook, and the Facebook Security Team is currently working on fixing this vulnerability.
Hussain added that, “an attacker can add a random invalid value to the parameters “app_id” and/or “client_id” and then change the value of the parameter “redirect_uri” and redirect facebook users to malicious sites such as phishing sites or sites with malware. ”
Source: illSecure.com
