[tgsovlerkhgsel]

> OP didn't screenshot the login screen in app, so I can only assume it was a real Facebook oauth flow

My guess would be that it was an in-app phishing page. Many legitimate login flows result in the official login page opening in a web view and asking for a password, which is indistinguishable from a phishing page.

> but honestly at that point it's already too late. If anything OP should be grateful that the native app running on what was presumably his personal device didn't do anything worse.

On phones, sandboxing significantly reduces the risk. Yes, it is possible to break out of the sandboxes if you have an exploit for that device, but it's a lot harder than on desktop where by default anything you install has full control over everything and could just steal all the users' passwords.

[tgb]

> Many legitimate login flows result in the official login page opening in a web view and asking for a password, which is indistinguishable from a phishing page.

I don't understand how Google/Facebook/etc can allow this to happen, let alone encourage it. I'm just baffled.

[tgsovlerkhgsel]

AFAIK Google doesn't encourage it and made some efforts to block it: https://auth0.com/blog/google-blocks-oauth-requests-from-emb...

Hasn't been 100% effective unfortunately, and even if it was, it's really hard to make users understand that this flow is incredibly dangerous.

And while Google on Android can simply go through system libraries, Facebook doesn't have the option if the app is not installed. They have to open something that will allow the user to log in (usually a browser), which is something the app can fake (in the case of the browser, just fake the whole browser UI, fake address bar included).

[tgb]

I misunerstood the part I quoted, I thought it was about web pages asking you to log in via Google/Facebook. So the problem I was thinking of is more generally entering Google credentials into logins provided to us by a third party. The "don't use the link in your email to log into google, go to gmail.com instead" advice has been seriously degraded by this. It should always be that if you aren't already logged in, you have to go yourself to gmail/facebook/etc and log in there.

[GoblinSlayer]

It wasn't oauth, it was a normal facebook login. The application didn't fake anything, but simply extracted the session cookie after login.

[coddle-hark]

How could they prevent it?

[tgb]

Ban apps that do that.

[gruez]

And how are they supposed to do that? If it's a fake login (aka phishing) page facebook wouldn't even know about it. The only effective way is dissuade consumers from entering their login credentials in-app, but even that's tricky because if it's a malicious app they could "fake" a web browser complete with a fake "address bar".

[andybak]

This is why "with a password manager" is a crucial part of the puzzle.

You have to fail at several steps if you're entering your credentials in this scenario.

[tgb]

They're supposed to ban the legitimate apps, so as to not normalize the interface that leads to phishing attempts. Right now, it's totally encouraged by google to enter your login credentials by clicking "log in with google" at a random site and just typing into the fields presented to you.