Facebook account takeover due to a bypass of allowed callback URLs in the OAuth flow
This bug could allow a malicious user to takeover Facebook or Instagram accounts due to missing URL path checking in fallback_redirect_uri parameter specified in the Facebook OAuth flow endpoints.