OpenID, OAuth Vulnerability Affects Facebook, Google, and Others
“For OAuth 2.0, these attacks might jeopardize the token of the site users, which could be used to access user information,” he wrote in a blog. “In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc. If the token has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user’s behalf.”