[andybak]

> so I can only assume it was a real Facebook oauth flow,

another reason why we should be training users to only do oAuth in a browser with a password manager.

It's one last solid line of defence.

OAuth in a native app is a security risk.

[donmcronald]

That's not a silver bullet though. If the password manager does a poor job of domain matching, the user gets accustomed to having to manually search for logins once in a while.

[andybak]

Agreed. Not perfect but much better than nothing.