Nov 12, 2016

Source (linked in post): https://www.blackhat.com/docs/eu-16/materials/eu-16-Yang-Sig...

Only 15-20% of apps tested for Facebook/Google OAuth were vulnerable, perhaps because platform-specific login code might be available for those providers (so you don't have to roll-your-own OAuth client as an app developer).

Also, the requirement for performing an MITM with SSL certificate bypass again raises the complexity of the attack. But it's true that your information is only as secure as the browser/client you use to access it, and the security of the API endpoints such clients talk to (and how they validate OAuth credentials passed by the client).