- Facebook log in
- Facebook log out
- Third-party account connection
"Now our Facebook account is connected to the victim account on that website and we can log in that account directly to change email/password, cancel bookings, read private messages and so on," Homakov wrote in a blog post.
However, any website that supports 'Login with Facebook' can be hacked by manually inserting its link into the tool that generates Facebook login requests on behalf of its users.
A Facebook spokesperson released a statement saying, "This is a well-understood behaviour. Site developers using Login can prevent this issue by following our best practices and using the 'state' parameter we provide for OAuth Login."