Tokens from services like Facebook can be stolen

__Description__ This file https://mus1.badoo.com/cb.html looks for the parameters _access_token_, _token_ and _code_ in the URL and send the value back to the `window.opener` using `window.opener.postMessage(message, '*');`. Because you specified `*` as the value of the second parameter of `postMessage()`, the browser is not going to check which is the opener and will send the message to any opener with the token. The problem here is that you can receive the message from a site you control and then use this token to even log in Badoo. __Proof of concept__ 1. Download the file _opener.html_ that I attached. 2. Sign up to Badoo using Facebook. 3. Using the browser where you are logged in to Facebook, open the file that you downloaded in step 1. 4. Click on _Click Here_. 5. Wait a few seconds. 6. When it's done, in the page will appear your Facebook token for Badoo. I attached a screen capture too (the size is 1.4MB). Please, let me know if you need more information.