Simple token leakage bug in Oculus endpoints due to migration from using Facebook accounts to Meta accounts. Where the first party access token was previously difficult to leak due to redirects being made through JavaScript, with the new meta authentication flow, redirection was done directly via URL with the token. The domain was validated against subdomains of oculus.com, but various subdomains (like forums.oculus.com) would utilize third party apps. Any open redirect could therefore be utilized to leak first party access token and hijack the account.

The open redirect is undisclosed as it’s not fixed as of writing.