Facebook 'code' parameter as part of query string for OAuth authentication

Question

Even though Authorization Code is short-lived comparing to Authorization token, isn't there a vulnerability in sending it in 'GET' as a query string? Isn't it similar to sending password using GET method?

In other words, after authentication facebook redirects user's browser to mysite.com sending the authorization code as a query string. Isn't it un-encrypted? middle man who is listening to your packets can read it and use it to highjack your session (session at mysite.com)?

Say,

1. I blocked the redirect (after getting the 'code' from facebook) on my browser side (using some browser add-on/plug-in)
2. I copied the complete redirect URL (www.mysite.com?code=AQCOtAV..blah) and trying it from a different browser.
3. the request will go through and mysite.com will contact facebook with inbound Authorization Code along with secretKey and clientId and Authenticate and generate Authorization token (I haven't really tried this step : step 3)

I know I am missing something here. Kindly help me out.

Answer 1

Thanks @Zólyomi for pointing out that even though the authorization code is sent across as a query parameter, its using HTTPS to send.

Answer: The query string sent across https is secure. No matter which http method GET or POST you are using, its encrypted and no middleman can listen to it. More info. Is an HTTPS query string secure?

However for numerous other reason sending the password in query string is not a good practice (password may appear in server logs as plain text as part of the URL etc). But that doesn't apply here because the Authorization code is a short lived one and its useless once its exchanged for the Authorization token.