Potential security issue with Facebook login? [closed]

Question

I am currently implementing Facebook Login on my website for the first time and I have some doubts on how secure this is.

I already have a database with users and for each one of them, I store an email address, so I really need to check whether an email address I get from Facebook is already present in my database or not, otherwise I would have some problems with duplicate users. If a user is already present, I simply merge data from Facebook into the existing account on my website and I connect the user. Otherwise, I create an account for him.

But here is the thing:

1. Alice connects on my website using email address [email protected] but Alice is not registered on Facebook with that email address

2. Bob registers on Facebook using Alice's email address [email protected] and verify the account using an SMS received on any phone number (I checked and this is possible, an account can be verified without clicking on the link received by email). I agree that Alice would be notified on her email address but still, this is possible.

3. Bob triggers login on my website using facebook connect, while being connected on Facebook using Alice's email address.

4. Bob's Facebook account is active and verified, and I have to assume he already has an account on my website as [email protected] is already in my database, so I connect him instead of Alice and he can use my website on Alice's account.

=> I tried this scenario on several websites and I could connect on someone else's account (a fake Facebook account that I created ;) ), as long as I knew the email address.

Does anyone have an idea on how to prevent these situations?

Answer 1

If it is true that Facebook doesn't need to confirm email and then acts as an openid-style provider, then this is shocking! But i guess the answer is already in your question - don't link/merge accounts. Or at least, don't do so from a facebook login attempt without first confirming the email yourself.

You can't change what friendface does, so you need to treat the email address provided by facebook connect as untrusted data. If a Facebook-connect login attempt is made with an email that already has a native account on your site, then send them an email confirmation code yourself - and do what facebook failed to do.

Another option is once a user is logged in to a native account, you could allow them to link the facebook account from there, should they wish to. This also allows you to support facebook login for users that have a different email address registered on the two sites.

Answer 2

this i think it's not a facebook bug/flow. The problem is in the algorithm that is used by the sites that accept facebook login.

Facebook logins should not be accepted if that email address is already registered in the site. It may called "facebook login" but not forget that it really is a new account of the site database and should be treated like one.

In conclusion, if the site uses e-mail addresses as unique identification, should not accept facebook logins with the same e-mail address.