Two “WontFix” vulnerabilities in Facebook Connect
Two “WontFix” vulnerabilities in Facebook Connect: TL;DR Every website with “Connect Facebook account and log in with it” is vulnerable to account hijacking. Every website relying on signed_request (for example official JS SDK) is vulnerable to account takeover, as soon as an attacker finds a 302 redirect to other domain.
I don’t think these will be fixed, as I’ve heard from the Facebook team that it will break compatibility. I really wish they would fix it though as you can see below, I feel these are serious issues.