[icebraining]

Yeah, I was struggling to understand this, since I recently implemented a Facebook OAuth client and it prevented me from setting any redirection URL outside the configured domain, so I don't see how is Facebook vulnerable.

Frankly, much ado about nothing.

[simonw]

This is only a vulnerability if you have an "open redirect" somewhere on your domain.

Do you have any URLs that look like this?

yourdomain.com/track-outbound-click.php?url=http://www.evilsite.com/

That's an open redirect, and can be used by an attacker to work around the domain whitelist.

Open redirects are bad news for a bunch of other reasons. The solution is to always guard them with an additional signed parameter derived from the URL and a secret.

[vertex-four]

The point is that large OAuth2 providers have open redirects themselves at the authorization endpoint, by not requiring all clients to register their redirection URIs. This directly violates the spec, as per section 3.1.2.2, and is further warned against in section 10.15.

In combination with the implicit flow, this means that an attacker can create ask the provider to authorize any client to access their data, but actually send the access token to the attacker's URL.

The interesting thing is... if providers actually followed all MUSTs and SHOULDs, this would not be a problem. The providers explicitly decided to allow this variety of problem to happen.