A Security Researcher Nir Goldshlager, has discovered a security flaw in Facebook that allowed him to take a full control over any Facebook account.
OAuth is used by Facebook to communicate between Applications and Facebook users, Usally users must allow/accept the application request to access their account before the communication can start. Facebook application might ask for different permissions.
According to researcher, the vulnerability gives a full permissions (read inbox, outbox, manage pages, manage ads, read private photos, videos,etc..) over the victim account .
"To make a successful attack, the victim need to use a Facebook application (Texas Holdem Poker, Diamond Dash, etc..). And these applications only have a basic permissions, We can always change the scope of the application permission and set a new permission but this method not powerfull, Because the victim need to accept the new permissions of the app" Researcher said in his blog.
But researcher discovered that there are built-in Applications(Facebook Messenger) in Facebook that users never need to accept , And this application have a full control on your account.
PoC:
https://www.facebook.com/connect/uiserver.php?app_id=220764691281998&next=https%3A%2F%2Ftouch.facebook.com%2F%23~!%2Fapps%2Ftestestestte%2F&display=page&fbconnect=1&method=permissions.request&response_type=token
Demo: