really, no single mention about 'state'
http://vk.com/developers.php?oid=-1&p=%D0%90%D0%B2%D1%82%D0%BE%D1%80%D0%B8%D0%B7%D0%B0%D1%86%D0%B8%D1%8F_%D1%81%D0%B0%D0%B9%D1%82%D0%BE%D0%B2 http://vk.com/developers.php?oid=-1&p=%D0%94%D0%B8%D0%B0%D0%BB%D0%BE%D0%B3_%D0%B0%D0%B2%D1%82%D0%BE%D1%80%D0%B8%D0%B7%D0%B0%D1%86%D0%B8%D0%B8_OAuth
http://homakov.blogspot.cz/2012/07/saferweb-most-common-oauth2.html attack is possible
redirect_uri should be required to obtain access_token.
Для получения access_token необходимо выполнить запрос с Вашего сервера на URL https://oauth.vk.com/access_token с передачей параметра code и секретных данных приложения: client_id и client_secret. Секретный ключ приложения client_secret может быть получен в разделе редактирования приложения и никогда не должен содержаться в коде клиентского приложения. С подробным списком параметров можно ознакомиться на странице описания получения access_token.
'code' leaks - when sitedomain.com/REFERER_LEAK path is sent as redirect_uri, attacker owns code and easily uses it.
In order to prevent such an attack, the authorization server MUST
ensure that the redirection URI used to obtain the authorization code
is identical to the redirection URI provided when exchanging the
authorization code for an access token. The authorization server
MUST require public clients and SHOULD require confidential clients
to register their redirection URIs. If a redirection URI is provided
in the request, the authorization server MUST validate it against the
registered value.
callback must be strictly sanitized
https://api.vk.com/method/getProfiles?uid=66748&access_token=533bacf01e11f55b536a565b57531ac114461ae8736d6506a3&callback=alert(document.cookie)
it's regular mistake for response_type=token applications, they don't sanitize document.hash and pass it in <script src>. XSS is possible