These types of vulnerability are application specific - one scenario I can think of is this:
Imagine you are using Facebook authentication as a SSO mechanism and have created an app with a webservice that returns some private information to authenticated users. This webservice is called /secretdocuments/download
which takes an access token as a parameter.
If the webservice only checks that the access token it receives is for a user it has in the database (via a call to /me and then a DB lookup), then a malicious person could:
- Create some other "bait" app.
- Send a link to that app to one of your users and encourage them to install it.
- That user authenticates with the bait app and an access token is generated. The bait app sends this access token to the malicious user.
- The malicious user takes that access token and calls your
/secretdocuments/download
webservice with it. - Your webservice only checks that the access token is for a user which is in the database and returns the private information to the malicious user.
In this scenario, your webservice must check that the access token provided was generated by your application.