It could lead to Open Redirect Attacks to both clients and providers of OAuth 2.0 or OpenID. For OAuth 2.0, these attacks might jeopardize “the token” of the site users, which could be used to access user information. In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc. If “the token” has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user's behalf.
more here..........http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
Services that support OAuth 2 and source link....http://oauth.net/2/
37signals (draft 5)
Box
Beeminder
Campaign Monitor
Dropbox
Facebook's Graph API (see sociallipstick.com/?p=239)
Foursquare
Geoloqi
GitHub
Google
Meetup
NationBuilder
Salesforce
Citrix ShareFile
SoundCloud
Do.com (draft 22)
Windows Live
more here..........http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
Detail explanation of the vulnerability.
Youtube: http://www.youtube.com/user/tetraph
Youku: http://i.youku.com/tetraph
Blog: http://tetraph.com/blog/
Blogspot: http://tetraph.blogspot.com
163 Blog: http://tetraph.blog.163.com/
37signals (draft 5)
Box
Beeminder
Campaign Monitor
Dropbox
Facebook's Graph API (see sociallipstick.com/?p=239)
Foursquare
Geoloqi
GitHub
Meetup
NationBuilder
Salesforce
Citrix ShareFile
SoundCloud
Do.com (draft 22)
Windows Live