White hat Hacker Nir Goldshlager once again pwn Facebook OAuth mechanism by bypassing all those minor changes done by Facebook Team. He explains the complete Saga of hunting Facebook bug in a blog post. He use facebook.com/l.php file (used by Facebook to redirect users to external links) to redirect victims to his malicious Facebook application and then to his own server for storing token values. In recent discovered technique hacker found that next parameter allow facebook.facebook.com domain as a valid option and multiple hash signs is now enough to bypass Regex Protection.
Source: https://thehackernews.com/2013/03/facebook-hacking-accounts-using-another.html