When you are redirected from Facebook - either after clicking "Accept" or in an implicit flow - to the page with the next parameter, and that page redirects to attacker.com, then attacker.com will have access to the referer header†, which contains the access token. Using this access token, an attacker could extract the sensitive information from the victim's Facebook account.
† there are a few exception when referer header isn't shown, e.g. HTTPS->HTTP redirect, but an attacker could make sure that the referer header would be sent for the majority of victims
Always assumed the response was via post... It's silly to use get/url for that. Any ad or external library on the page can already see that then.. Everyone logs referer headers. Even using custom fonts directly from Google is already advertising your tokens...
† there are a few exception when referer header isn't shown, e.g. HTTPS->HTTP redirect, but an attacker could make sure that the referer header would be sent for the majority of victims