Pre-Access to Victim’s Account via Facebook Signup

Email not verified
https://example.com/auth2/access_token=Eposkdskdpo.........
Request Method: POST
{"email":"example@example.com","name":"hey","id":"fb-id"}
the email is returned only if verified
{"id":"facebookidnumber","name":"Myname"}
{"id":"facebookidnumber","name":"Myname","email":"victimemail@victim.com"}
Account already exists
1. Victim should not have created a normal and facebook account and sign-in before
2. If Application alerts users about sign-in via facebook and allows social sign-in remove then impact goes very down
3. Most of applications when facing no-email would redirect to home page with response {"statusCode":400,"error":"invalid_grant","message":"Bad Request","error_description":"Bad credentials"}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store