2

I'm implementing a Log In With Facebook button on my website, and will be using the email field for two purposes:

  • create a new account if I don't have this email in my user database
  • match an existing account if I have a user with this email address

Does Facebook guarantee that they verified the user owns this email address when they return the field in their API?

Otherwise, in the (unlikely) event that a user of my website does not have a Facebook account, someone could create a Facebook account with this email, without validating it, to log in to my website with their account.

BenMorel
  • 34,448
  • 50
  • 182
  • 322

1 Answers1

1

They are supposed to be but Facebook has had issues in the past of unverified emails being allowed to pass through the API Is it possible to check if an email is confirmed on Facebook?.

If you implicitly allow Facebook accounts to link up via email, then the next time Facebook has an issue they can effectively take control of all your users accounts.

The secure way to link users up is to either:

  • Ask a normal user to link their facebook account by logging into it.
  • Ask a Facebook-user to login with your sites normal account.
Kit Sunde
  • 35,972
  • 25
  • 125
  • 179
  • But that's specifically what Log In With Facebook is for, isn't it? Allowing users to sign up to your website without having to enter their information once again. I know users can *not* have an email set, I'll handle this case; but do you have a source for your statement that it might not be verified? And is there a way to check whether it is verified or not? – BenMorel Aug 07 '15 at 00:37
  • @Benjamin It's for authenticating users, not implicitly associating disjoint accounts. Here's an old SO queston on this subject: https://stackoverflow.com/questions/14280535/is-it-possible-to-check-if-an-email-is-confirmed-on-facebook No there's no way of checking. It seems to just *almost always* be the case. – Kit Sunde Aug 07 '15 at 00:48
  • 1
    @Benjamin Ah I suppose that it was just a bug. Could be safe then I guess until the next time Facebook gets bugged. ;) It's still safer to make people explicitly link their accounts though. – Kit Sunde Aug 07 '15 at 00:50
  • Excellent, thanks for the pointer. I'm quite confident to rely on this behaviour then. There is no reason Facebook exhibits the same bug twice if they use regression testing. FUD is a developer's worst enemy :) – BenMorel Aug 07 '15 at 08:46