Hello,
The facebook developer team took contact with us as part of a test of my facebook app. They had problems logging into my website. But thats ok, probably cleantalk that prevent that.
Anyway during our tests we found that the URL i am redirected to afte a successful login, the opauth url: /my-account/?opauth=YTozOntzOjQ6ImF1dGgiO2E6NXXXXXXXXXXX, is like an open book. I did send the url to facebook and they was given direct access to my account.
Done several tests and my account is accessible for anyone that should get access to the opauth url, even if i have logged out, changed password, deactvated facebook login or whatever, the account is wide-open for anyone visiting the opauth url.
Any idea? The facebook team was a little scared about that.
Brgds
Rune
.
