Okta acknowledges customers affected by Lapsus$ attack – Computer – News

1. The user wants to login to Tinder
2. Redirect Tinder to Facebook
3. The user logs in to Facebook
4. The user is redirected to Tinder, with an icon in the url
5. Tinder (server-side) exchanges this token for an access token

Is that correct? I think this is a summary of what I wrote in the previous post.

6. Tinder uses the access token to get the user’s email address via Facebook.
7. (Tinder also checks if an access code has been issued for Tinder and not for another app)
8. If all these verifications are successful, the user will be granted access to the Tinder account associated with that email address.

Is that correct? This is a summary of what I said in my post.

My point now is: who loves Facebook Against, to return a different email address in step 6? If they return [email protected] in step 6, I’m on your account. So Facebook has that power. So you should be completely confident that Facebook does not want to display your profile. (And that they are not being hacked / That they are not cooperating with the FBI / That the employee does not want to stalk his ex)

A similar issue can be seen here with Okta. If you outsource the entire authentication, you risk the possibility of a login (or a hacker or an employee).

I think we were talking to each other, but I didn’t say anything wrong. If so, I’d like to know what step is going wrong here. I’ve worked enough with these types of login systems to get a good idea, but I’m no expert.

finally:

So they can’t start streaming from Tinder and then log in with your Facebook account because you need your password or your session has been hacked for that.

I don’t have a password on Tinder, and I don’t have a session when scanning my phone. However, I can start the authentication flow (just click “login with facebook). Then the authentication happens back to Facebook, they have all control over it, they don’t need a password, but they can generate access tokens whenever they want