Trying to continue the OAuth2 attacks saga started few months ago I am going to introduce a new kind of 'attack' named (by me, continuing the movie's name old tradition :D) 'The Postman Always Rings Twice'. I hope the reason of this name will be clear soon. In a nutshell the section 4.1.3 of the OAuth 2 core specification aka RFC 6749 says: The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. Now this is a really simple claim, but it turned out that two major providers as Facebook and Google violated it, until I did report the 'violation'. For this Facebook decided to reward me with a bug bounty (a while ago) and Google (only) with an honorable mention :(. Now you might wonder what is so dangerous on violating section 4.1.3 of the spec? Hopeful...