Yeah, OAuth 2.0 is a very poorly specified protocol. I mean OAuth was conceived not have to expose the user & password, but in version 2.0 of the spec signing in by transferring the username and the password is an explicit feature. What the actual F?
So it does not come as a surprise that those, who actually implemented it have not done a great job. Side note: despite the article claiming so facebook is using their own Auth protocol, which is closer to OAuth1.0 than to 2.0. However, sure, the attack is possible if the server doesn't actually check the user provided values.
Important: This isn't effecting us or our new system though. This attack is intersecting the client-server connection with the third-party server during the authentication. In our model, we are more like facebook itself and if anyone used our access token to sign in with your app (wat???) they very likely want to use that token to access the network and that would fail in the described scenario.