[arice]

This is great work by Egor, as usual. I work on Facebook's security and thought I'd add a bit more clarity here on the mitigation steps available to developers. Awareness here is important.

The first issue manifests itself if 1) an account has been previously registered on a client site, 2) that site offers the ability to "link" that existing account with a Facebook account, and 3) the action that performs the linking on the client site is vulnerable to CSRF. If you're a developer implementing conditions 1 & 2, make sure the linking action is protected by your anti-CSRF framework. Requiring explicit consent prior to linking accounts is a good idea for a number of reasons beyond this attack.

The second issue builds on what Egor refers to as "OAuth's Achilles' Heel": if the client site contains Open Redirect or XSS vulnerabilities, those vulnerabilities can often be leveraged to compromise the OAuth credential. To greatly reduce the likelihood of this attack, you should restrict which endpoints on your domain are capable of participating in the OAuth flow. See Facebook's Best Practices for Login Security guide[1], specifically the "Specify a whitelist of OAuth redirect URLs" section. Of course, you probably want to fix any Open Redirect & XSS vulnerabilities as well.

[1] https://developers.facebook.com/docs/facebook-login/security...