Facebook detects if you are logged in Gmail

by Raisen   Last Updated November 15, 2017 23:03 PM

Today I was playing with some web security, and there was a surprise when I decided to test the Forget the Password link on Facebook.

I chose to send the password reset code to my Gmail address, and right after that Facebook pops up with another window with a message telling that I don't have to worry about my password reset code as I am already logged into my Gmail account.

Already logged in

How can they do that?

I am guessing that it has something to do with the OpenID protocol, but shouldn't I have to allow it in order for Facebook to interact with my Gmail account?



Answers 5


In Account Settings, there's a "Linked Accounts" section where you can have Facebook automatically log in if you're logged in to one of your OpenID-enabled accounts on other sites. Maybe you forgot that you linked your Gmail account?

Charlie Melbye
Charlie Melbye
November 05, 2011 23:09 PM

The OAuth tokens for Google are at https://accounts.google.com/b/0/IssuedAuthSubTokens (it's different from Linked Accounts).

When I tried it, Facebook created a popup with a OAuth prompt the first time and only briefly opened a blank popup on subsequent attempts. De-authorizing Facebook makes the prompts appear again.

antimatter15
antimatter15
November 05, 2011 23:46 PM

Have you looked at your Google account to see if you gave Facebook permission to access your Google information?

microft
microft
November 05, 2011 23:50 PM

It uses OpenID. If you've previously used OpenID to give Facebook access to your e-mail (such as to import your contacts to Facebook), then it'll try and do that. If you haven't done so, then you'd be presented with a prompt to give Facebook access (if you say no, then just go and actually wait for the password reset e-mail to get delivered to you).

Yuliy
Yuliy
November 06, 2011 05:07 AM

This isn't the case. As mentioned, the only site that can access GMail cookies is GMail. I have just tested this exact method and (having never authorised before) the popup took me to a page on the accounts.google.com sub-domain asking me to authorise access for Facebook. This is exactly what I would expect and hope to happen.

It would appear the OP has previously authorised such an action, maybe through Google Buzz or similar?

Matt
Matt
November 06, 2011 09:27 AM

Related Questions





Strange ''sign in attempt prevented'' mesagges on Gmail

Updated February 07, 2016 12:43 PM