Hacker Read

andybak | karma 19613 | avg karma 3.44 · 2020-09-14 19:28:10+00:00

> so I can only assume it was a real Facebook oauth flow,

another reason why we should be training users to only do oAuth in a browser with a password manager.

It's one last solid line of defence.

OAuth in a native app is a security risk.

donmcronald | karma 6932 | avg karma 4.35 · 2020-09-14 20:32:26

That's not a silver bullet though. If the password manager does a poor job of domain matching, the user gets accustomed to having to manually search for logins once in a while.

andybak | karma 19613 | avg karma 3.44 · 2020-09-15 01:15:57+00:00

Agreed. Not perfect but much better than nothing.