Every website relying on signed_request (for example official JS SDK) is vulnerable to account takeover, as soon as an attacker finds a 302 redirect to other domain. Facebook engineers made it a required parameter to obtain “access_token” for issued “code”. If the code was issued for a different (spoofed) redirect_uri, provider will respond with mismatch-error. It’s just like when you steal username+password++password, it’s hard to get rid of all the redirects. For clients like soundcloud, OAuth providers are at the same time to be able to redirect 3rd party websites to redirect to their “subsequent” clients.”]
Source: http://homakov.blogspot.com/2014/01/two-severe-wontfix-vulnerabilities-in.html