2 comments

[ 2.7 ms ] story [ 19.6 ms ] thread
So, I just tested this; it's an access token that has no authorized scopes to access sensitive data. It literally only exposes public profile data, which basically just consists of name, picture info, and internal Facebook user ID -- the default public profile info listed in the developer docs.

Is it a security flaw? Absolutely. Is Facebook still terrible? Of course.

But this article is, frankly, egregiously inaccurate in its claims on the severity of the issue.

It’s dumber than that. The chrome extension requires *.facebook.com host permission. It can literally do whatever it wants - add friends, delete your profile, etc. You could write this same article about gmail, twitter, etc, any site in the world. The author just doesn’t understand chrome extension permissions