Hacker Read

NiekvdMaas · 2020-09-14 17:04:53+00:00

Yes, pretty sure. It wasn't an oauth screen but the actual FB login screen.

khc | karma 2620 | avg karma 5.76 · | 2017-08-17 06:11:45+00:00

Nope, it opens up a fake Facebook login screen, themed to look like Facebook

billpg | karma 5306 | avg karma 3.92 · | 2009-08-12 11:55:44+00:00

Yep, that's the facebook login page alright.

NiekvdMaas | karma 1976 | avg karma 8.1 · | 2020-09-14 14:27:03

It's actually the real login page of Facebook in a webview. I have 2FA on all my accounts including FB, so it looked very legit. Once you have logged in, they seem to grep the token and close the webview.

saraid216 | karma 6617 | avg karma 1.54 · | 2012-06-26 03:09:14

I was confused at first because I use Facebook in a different browser, so it just gave me the login screen.

NiekvdMaas | karma 1976 | avg karma 8.1 · | 2020-09-14 15:57:57+00:00

(OP here)

While you are absolutely right, I want to highlight that this was done in a quite sophisticated way. It's actually the real login page of Facebook in a webview. I have 2FA on all my accounts including FB, so it looked very legit. Once you have logged in, they seem to grep the token and close the webview.

reply

IAmNotAFix | karma 197 | avg karma 2.98 · | 2020-09-14 14:14:39

I don't understand the step where the author is logging in with Facebook.

Was that a legit OAuth 2.0/OpenID Connect log in? (In this case this must have been OAuth 2.0 with a scope giving the application write access to business stuff.)

Or was it a phishing page in which the author gave his facebook password?

reply

heavyset_go | karma 25689 | avg karma 3.63 · | 2020-07-26 15:33:15+00:00

Thanks for sharing this, I was considering using Facebook for OAuth login, but now I'm not.

mythz | karma 9105 | avg karma 5.88 · | 2012-03-02 18:37:52+00:00

This is a strange conclusion from a site that accepts every OAuth option under the sun with the facebook login as the last presented major option.

Assuming a UX mind trick because someone has a strict password policy is a bit far-fetched IMO.

reply

rawling | karma 621 | avg karma 1.85 · | 2022-09-22 14:19:46

Yes, if you open it in the in-FB-app browser and log in.

ThiagoBurgos | karma 2 | avg karma 0.2 · | 2011-06-05 14:01:10+00:00

did it open a popup for you to login with your facebook credentials?

dolinsky | karma 854 | avg karma 4.19 · | 2011-07-08 19:24:47+00:00

Yes, but it's the kind I can appreciate. Instead of a 'hey connect with facebook and then go through my signup process as well' he's using FBConnect as the authentication backend.

matsemann | karma 20700 | avg karma 6.84 · | 2020-09-14 13:55:59+00:00

Thousands of apps have "Login with Facebook" (and others), and it's often impossible to know if it's a real oauth flow or just a fake login page.

Nextgrid | karma 26661 | avg karma 2.96 · | 2020-03-26 22:06:31+00:00

I'm certain you can implement Facebook login through standard OAuth and not have to rely on any of their code.

ChrisCinelli | karma 1172 | avg karma 2.73 · | 2019-04-03 19:53:00+00:00

They did not. I think those are their own passwords if the user used directly the app without FB login

TekMol | karma 9072 | avg karma 4.01 · | 2017-05-28 10:58:46+00:00

Facebook is behind a login.

OJFord | karma 22072 | avg karma 2.2 · | 2017-02-17 15:11:03+00:00

Yes, but my point is that a user who has handed over Facebook access has with it handed over 'login with Facebook' access.

lnanek2 | karma 3862 | avg karma 1.88 · | 2014-04-30 22:22:41

From the site, it looks like the FB login page you get after clicking the button is all black, and then you get sent back to the app. The regular one would be in the normal colors. Although I suppose they could popup a fake anon one on their own site, but they wouldn't have the right URL. On Android the app allows login without entering a password as well, so I'd immediately know because login through FB doesn't require my password but the app's fake version would.

nicky0 | karma 2503 | avg karma 1.51 · | 2020-06-29 20:56:31

It's not, which is why they are also removing FB login.

basch | karma 6805 | avg karma 2.05 · | 2019-03-06 16:34:57

I would expect this from any app that implements using FB as your account to sign in, no?