Basically the vulnerability is in the facebook side. Every oauth provider has a list of "allowed redirect uris", a good oauth provider will check the entire url, but facebook doesn't check the query string in the url. If you have a list of allowed redirects like:

- http://foo.com - http://foo.com/foo

Facebook accepts redirects like: - http://foo.com?anything_here=xx

And if the client has an open redirect, some query string to redirect anywhere combined with response_type token.. the evil website can get the token.