I came across this particular app which is spreading virally among many Malaysian Facebook users:
https://www.facebook.com/SpritzNetworks/app_190322544333196
The app is asking users to copy paste a so called Sony Xperia Mobile token into their app.
Apparently the supposed mobile token is actually the users’ Facebook access token created for that particular Sony Xperia app.
What are the repercussions of sharing the Facebook access token with the app this way?
Best Answer
You open yourself to access you most likely don't want to give. An access token is a way for a user to state that they are giving limited access for an application to see data.
Copy pasting the access_token means that you bypass the OAuth flow that prevents any hijacks of your account.
The access_token is in plain sight because the
redirect_uri
is set to http://facebook.com which doesn't handle the response.https://www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=104018109673165&redirect_uri=http://www.facebook.com/&response_type=token&perms=&scope=publish_stream,offline_access,user_photos,friends_photos,publish_actions,read_stream,email,user_status,user_activities,user_likes
Gives the intruder (https://www.facebook.com/SpritzNetworks) access to the following
Many shady pages, use Xperia app as a way to coax users into giving their access token
Summary: Don't give out your access_token, you aren't even supposed to know it exists in the first place.