Example: https://www.facebook.com/l/goldy;touch.facebook.com/apps/sdfsdsdsgs (where ‘goldy’ is the 5 byte of data used).
Now at the last step, He Redirect the victim to external websites located in files.nirgoldshlager.com (attacker server) via malicious Facebook app created by him and victim’s access_token will be logged there. So here we have the final POC that can hack any Facebook account by exploiting another Facebook OAuth bug.
For all browsers:
For Firefox browser:
This bug was also reported to Facebook Security Team last week by Nir Goldshlager and patched now, if you are a hacker, we expect YOU to hack it again !